[cabf_validation] Domain Authorization Documents under subsection 2 and 4 of the proposed domain validation re-write

Ben Wilson ben.wilson at digicert.com
Thu Jul 16 11:57:30 MST 2015


On today's call I said I would look at the DV validation methods 2 and 4  in
the proposal to see whether they could be merged and some of the language
eliminated.  For instance, it was asked why subsection 4(b) needed to say,
"used by the CA to verify a previously issued certificate and that the
Registered Domain Name's WHOIS record has not been modified since the
previous certificate's issuance" and why that wasn't already covered by
section 3.3.1 of the Baseline Requirements.  

 

The problem is that I do not see where the right to re-use the Domain
Authorization Document is preserved beyond 39 months, like it is in the EV
Guidelines.

 

Section 3.3.1 of the Baseline Requirements states:

 

The CA MAY use the documents and data provided in Section 3.2 to verify
certificate information, provided that the CA obtained the data or document
from a source specified under Section 3.2 no more than thirty-nine (39)
months prior to issuing the Certificate.

 

Section 11.14.1 of the EV Guidelines says,

 

If an Applicant has a currently valid EV Certificate issued by the CA, a CA
MAY rely on its prior authentication and verification of:

(1) The Principal Individual verified under Section 11.2.2 (4) if the
individual is the same person as verified by the CA in connection with the
Applicant's previously issued and currently valid EV Certificate;

(2) The Applicant's Place of Business under Section 11.4.1;

(3) The Applicant's Verified Method of Communication required by Section
11.5 but still MUST perform the verification required by section 11.5.2(B);

(4) The Applicant's Operational Existence under Section 11.6;

(5) The Name, Title, Agency and Authority of the Contract Signer, and
Certificate Approver, under Section 11.8; and

(6) The Applicant's right to use the specified Domain Name under Section
11.7, provided that the CA verifies that the WHOIS record still shows the
same registrant as when the CA verified the specified Domain Name for the
initial EV Certificate.  

 

Section 11.14.1 is an exception to the time frames in Section 11.14.3 of the
EV Guidelines.

 

Domain Validation based on current section 3.2.2.4.5 ("Relying upon a Domain
Authorization Document") needs to be preserved as an exception to the aging
requirement (like it is in Section 11.14.1(6) of the EV Guidelines), or else
the Baseline Requirements will be more strict than the EV Guidelines.  

 

Section 11.14.1(6) of the EV Guidelines should be ported over to the
Baseline Requirements.  

 

In any event. I took a stab at merging and re-writing some of the language
in subsections 2 and 4, and this is what I came up with:

 

Confirming the Applicant is the Domain Name Registrant through a Reliable
Method of Communication with the Domain Name Registrar or Domain Name
Registrant through contact information provided by WHOIS, such as the
physical address, email address, telephone or facsimile number for the
Domain Name Registrant, or the contact listed as the "registrant",
"technical", or "administrative" contact, or the private, anonymous, or
proxy registration service listed by WHOIS, if any, for the Domain Name
Registrant.  Evidence of such confirmation through a Reliable Method of
Communication may consist of a Domain Authorization Document previously
obtained from either the Domain Name Registrant (including any private,
anonymous, or proxy registration service) or the Domain Name Registrar
listed in the WHOIS, provided that the Registered Domain Name in the WHOIS
record has not changed.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150716/4cb09dbb/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/validation/attachments/20150716/4cb09dbb/attachment.bin 


More information about the Validation mailing list