[cabf_validation] Ballot 190

Thu May 4 13:10:39 MST 2017

Why do you have FQDN checked for 1-3?  I think you'd only do FQDN level validation if you also allow Authorization domain.

Can a DAD be used for Authorization domain and base domain?  Not sure.

See comments below.

Doug

Method

FQDN

Authorization Domain

Base Domain

1. Domain Contact - This method relies on the definition of Domain Contact which specifies the WHOIS person either at the FQDN or base domain.

X

X

2. WHOIS Email - Only permits email to domain contact, but one of the sentences mentions Authorization Domain?

X

X

3. WHOIS Phone - Same as Email

X

X

4. Constructed Email - sending the email to authorization domain

X

X

X

5. Domain Document

X

X?

X?

6. Agreed-Upon Change - Authorization domain specifically mentioned

X

X

X

7. DNS Change - Authorization domain name is mentioned but also permits underscore

X

X

X

8. IP Address - No Authorization domain mentioned

X

9. Test Cert - Authorization domain mentioned

X

X

X

10. TLS Using a Random Number - Authorization Domain mentioned

X

X

X

Doug

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Validation
Sent: Thursday, May 4, 2017 3:46 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>
Subject: [cabf_validation] Ballot 190

I wanted to make sure that I'm implementing the methods correctly. For each FQDN you can verify the FQDN using the FQDN, an Authorization Domain, or Base Domain, as specified in the method. Going through the methods, it looks like the verification listed in the table below is permitted. Is this everyone else's understanding?

Method

FQDN

Authorization Domain

Base Domain