[Servercert-wg] Ballot SC14 version 3: Updated Phone Validation Methods

Doug Beattie doug.beattie at globalsign.com
Tue Jan 15 11:57:08 MST 2019


Wayne,

 

This was discussed a little on the Validation Summit Google Docs page where there was a recommendation: Don’t permit phone transfers except to a Domain Contact.  So, we added in the clause: “In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to the Domain Contact”

 

Domain Contact: The Domain Name Registrant, technical contact, or administrative contract (or the equivalent under a ccTLD) as listed in the WHOIS record of the Base Domain Name or in a DNS SOA record, or as obtained through direct contact with the Domain Name Registrar.

 

If we permit phone transfers to a Domain Contact, then it seems like the CA needs to know they are being transferred to a Domain Contact (and not the maintenance department). I recall a discussion about this when we first discussed this (don’t get transferred to the Maintenance Department for domain approval).

 

We can certainly leave the details of knowing they are being transferred to a Domain Contact up to individual CA policies and procedures and take this out, I’m fine with that.  It just seemed “logical” to say you can only be transferred to a “Domain Contact” if something more than the phone number was supplied as part of the Domain Contact data record.

 

I’ll plan to go ahead and remove this unless I receive any other feedback.

 

Doug

 

 

From: Wayne Thayer <wthayer at mozilla.com> 
Sent: Tuesday, January 15, 2019 1:11 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Ballot SC14 version 3: Updated Phone Validation Methods

 

Doug,

 

On Thu, Jan 10, 2019 at 1:07 PM Doug Beattie via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

 

This is version 3 of Ballot SC14 with the following changes from Version 2:

*	Methods for how the Random Value is returned to the CA when left on a voicemail were removed and changed to: The Random Value MUST be returned to the CA to approve the request.
*	Changed references of Random Number to Random Value, the proper defined term.
*	On the topic of being transferred added “knowingly” to: The CA MAY NOT knowingly be transferred…
*	Changed effective date from July 31 to May 31.  
*	When performing a transfer, added the clause that the CA MAY request to be transferred to the Domain Contact, “provided that such a name, role or descriptor is part of the provided Domain Contact”

 

This new language “provided that such a name, role or descriptor is part of the provided Domain Contact” is really confusing me:

 

In the event that someone other than a Domain Contact is reached, the CA MAY request to be transferred to the Domain Contact, provided that such a name, role or descriptor is part of the provided Domain Contact. 

 

Are you trying to say that the CA can only ask to be transferred to an entity that is explicitly listed as a Domain Contact? What is an example of a "descriptor"? Also, the latter "provided" implies that this is coming directly from the Applicant.

Thanks,

Wayne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190115/a271861a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5701 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190115/a271861a/attachment-0001.p7s>


More information about the Servercert-wg mailing list