[cabf_validation] Domain Authorization Documents under subsection 2 and 4 of the proposed domain validation re-write
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Thu Jul 16 16:51:32 MST 2015
I just noticed that EVGL 11.14.1(6) says essentially the same thing for re-vetting of EV domains, so now I think I understand. You don’t have to completely revet the domain so long as the WhoIs Registrant data is the same as the last time you vetted (you can rely on your prior vetting data, including and Domain Authentication Document, if the WhoIs Registrant is the same as last time). That makes sense to me, so yes I agree – let’s extend the same process to DV and OV domain revetting.
EVGL 11.14.1 If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of: ***
(6) The Applicant's right to use the specified Domain Name under Section 11.7, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate.
From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Kirk Hall (RD-US)
Sent: Thursday, July 16, 2015 4:18 PM
To: Ben Wilson; validation at cabforum.org
Subject: Re: [cabf_validation] Domain Authorization Documents under subsection 2 and 4 of the proposed domain validation re-write
I still don’t understand the purpose / meaning of the last sentence:
Evidence of such confirmation through a Reliable Method of Communication may consist of a Domain Authorization Document previously obtained from either the Domain Name Registrant (including any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS, provided that the Registered Domain Name in the WHOIS record has not changed.
If we follow EVGL 11.14.1(6), as we should (but lengthen the reuse of vetting data to 39 months for DV and OV, not 13 months), then the sentence above adds nothing (or implies we must re-check the WhoIs for each DV or OV certificate request to look for WhoIs changes, even though we are still allowed to re-use the prior domain validation information).
Or are you proposing that we can re-use a Doman Authorization Document for MORE THAN 39 months, so long as we re-check the WhoIs after 39 months and see that there were no changes?
From: validation-bounces at cabforum.org<mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, July 16, 2015 11:58 AM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Subject: [cabf_validation] Domain Authorization Documents under subsection 2 and 4 of the proposed domain validation re-write
On today’s call I said I would look at the DV validation methods 2 and 4 in the proposal to see whether they could be merged and some of the language eliminated. For instance, it was asked why subsection 4(b) needed to say, “used by the CA to verify a previously issued certificate and that the Registered Domain Name’s WHOIS record has not been modified since the previous certificate’s issuance” and why that wasn’t already covered by section 3.3.1 of the Baseline Requirements.
The problem is that I do not see where the right to re-use the Domain Authorization Document is preserved beyond 39 months, like it is in the EV Guidelines.
Section 3.3.1 of the Baseline Requirements states:
The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that the CA obtained the data or document from a source specified under Section 3.2 no more than thirty-nine (39) months prior to issuing the Certificate.
Section 11.14.1 of the EV Guidelines says,
If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of:
(1) The Principal Individual verified under Section 11.2.2 (4) if the individual is the same person as verified by the CA in connection with the Applicant’s previously issued and currently valid EV Certificate;
(2) The Applicant's Place of Business under Section 11.4.1;
(3) The Applicant’s Verified Method of Communication required by Section 11.5 but still MUST perform the verification required by section 11.5.2(B);
(4) The Applicant's Operational Existence under Section 11.6;
(5) The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under Section 11.8; and
(6) The Applicant's right to use the specified Domain Name under Section 11.7, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate.
Section 11.14.1 is an exception to the time frames in Section 11.14.3 of the EV Guidelines.
Domain Validation based on current section 3.2.2.4.5 (“Relying upon a Domain Authorization Document”) needs to be preserved as an exception to the aging requirement (like it is in Section 11.14.1(6) of the EV Guidelines), or else the Baseline Requirements will be more strict than the EV Guidelines.
Section 11.14.1(6) of the EV Guidelines should be ported over to the Baseline Requirements.
In any event. I took a stab at merging and re-writing some of the language in subsections 2 and 4, and this is what I came up with:
Confirming the Applicant is the Domain Name Registrant through a Reliable Method of Communication with the Domain Name Registrar or Domain Name Registrant through contact information provided by WHOIS, such as the physical address, email address, telephone or facsimile number for the Domain Name Registrant, or the contact listed as the “registrant”, “technical”, or “administrative” contact, or the private, anonymous, or proxy registration service listed by WHOIS, if any, for the Domain Name Registrant. Evidence of such confirmation through a Reliable Method of Communication may consist of a Domain Authorization Document previously obtained from either the Domain Name Registrant (including any private, anonymous, or proxy registration service) or the Domain Name Registrar listed in the WHOIS, provided that the Registered Domain Name in the WHOIS record has not changed.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150716/ac994c74/attachment-0001.html
More information about the Validation
mailing list