[cabfpub] [EXTERNAL] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Gervase Markham gerv at mozilla.org
Mon May 1 12:13:08 UTC 2017


On 28/04/17 15:56, Peter Bowen wrote:
> I would suggest a simpler approach — simply remove Delegated Third
> Party from the BRs altogether.  That removes the carve-out allowing
> the CA to shift blame.

Do I understand right if I say that the removal of the DTP concept from
the BRs would not stop CAs getting third parties to perform parts of the
validation process; it would simply mean that it was required that those
third parties were included in the scope of the CA's audit? (And that if
the CA saw practical problems with that, they would have to not delegate
that function to that entity.)

So then domain validation could be delegated, but would have to be
properly audited in the audit which the root stores get to see?

Gerv



More information about the Public mailing list