[cabf_validation] Validation by telephone
Peter Bowen
pzb at amzn.com
Tue Jan 19 10:21:24 MST 2016
Are you saying that SMS, fax, etc should be exempt from the random requirement?
> On Jan 19, 2016, at 9:14 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>
> I think we should plan ahead for SMS, fax communication, etc. I think the second part is redundant with the first. We already say they are confirming control over the requested FQDN. How about:
>
> Confirming the Applicant’s control over a requested FQDN through a telecom-based communication with the Domain Name Registrant where the telecom number was obtained from (a) the Domain Name Registrar or (b) the WHOIS record’s “registration”, “technical”, or “administrative” field; or
>
> <>
> From: Peter Bowen [mailto:pzb at amzn.com <mailto:pzb at amzn.com>]
> Sent: Tuesday, January 19, 2016 10:07 AM
> To: Doug Beattie
> Cc: Rick Andrews; Jeremy Rowley; validation at cabforum.org <mailto:validation at cabforum.org>
> Subject: Re: [cabf_validation] Validation by telephone
>
> I like the second. It does reorganize the validation methods but I think it makes sense — whether you get it from the registrar (via some method) or via WHOIS (explicit method), it should be the same steps after.
>
> On Jan 19, 2016, at 7:47 AM, Doug Beattie <doug.beattie at globalsign.com <mailto:doug.beattie at globalsign.com>> wrote:
>
> I don’t like references to certificate requests because this section isn’t limited to that.
>
> How about this?
>
> Confirming the Applicant’s control over the requested FQDN by placing a phone call to the Domain Name Registrant using a telephone number obtained from the WHOIS record’s “registrant”, “technical”, or “administrative” field and confirming the Applicant's request for validation of the FQDN; or
>
> Or
>
> Confirming the Applicant’s control over the requested FQDN by calling the Domain Name Registrant's phone number where the phone number was obtained from (a) the Domain Name Registrar or (b) the WHOIS record’s “registration”, “technical”, or “administrative” field, and confirming the Applicant's request for validation of the FQDN; or
>
> From: validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Rick Andrews
> Sent: Monday, January 18, 2016 6:55 PM
> To: Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com>>; validation at cabforum.org <mailto:validation at cabforum.org>
> Subject: Re: [cabf_validation] Validation by telephone
>
> Thanks, Jeremy. I like #1 better too.
>
> From: validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org> [mailto:validation-bounces at cabforum.org <mailto:validation-bounces at cabforum.org>] On Behalf Of Jeremy Rowley
> Sent: Thursday, January 14, 2016 5:12 PM
> To: validation at cabforum.org <mailto:validation at cabforum.org>
> Subject: [cabf_validation] Validation by telephone
>
> Here are the two telephone validation processes split out from the email:
>
> 2. Confirming the Applicant’s domain ownership or control by receiving confirmation of the certificate’s request from the Domain Name Registrant where (i) the certificate request is confirmed by communicating with the Domain Name Registrant using a postal address or by email, (ii) the address or email used for communicating with the Domain Name Registrant is either (a) provided by the Domain Name Registrar or (b) listed in the WHOIS record’s “registration”, “technical”, or “administrative” field, (ii) the confirmation of the certificate’s request contains a Random Value unique to the Applicant, and (iii) the Applicant responds to the communication with a response confirming the Applicant’s receipt of the Random Value; or
>
> 3. Confirming the Applicant’s domain ownership or control by receiving confirmation of the certificate request from the Domain Name Registrant where the certificate request is confirmed by communicating with the Domain Name Registrant using a telephone number provided by either (i) the Domain Name Registrar or (ii) listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field; or
>
> Alternative:
>
> 2. Confirming the Applicant’s domain ownership or control by communicating with the Domain Name Registrant using a postal address or by email where (ii) the address or email of the Domain Name Registrant is either (a) provided by the Domain Name Registrar or (b) is listed in the WHOIS record’s “registration”, “technical”, or “administrative” field, (ii) the confirmation of the certificate’s request contains a Random Value unique to the Applicant, and (iii) the Applicant responds to the communication with a response confirming the Applicant’s receipt of the Random Value; or
>
> 3. Confirming the Applicant’s domain ownership or control by communicating with the Domain Name Registrant using a telephone number that is either (i) provided by the Domain Name Registrar or (ii) listed in the WHOIS record’s “registrant”, “technical”, or “administrative” field; or
>
> I liked #1 because it required that there be a confirmation of the certificate request from the Domain Name Registrant. It’s not just simply calling a number (or sending an email) that contains no information about the purpose of the email/call.
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org <mailto:Validation at cabforum.org>
> https://cabforum.org/mailman/listinfo/validation <https://cabforum.org/mailman/listinfo/validation>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160119/739be5b9/attachment-0001.html
More information about the Validation
mailing list