[cabf_validation] Fwd: RE: Outline of Method 1 Replacement

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Mar 12 02:34:29 MST 2018


Posting on behalf of Mads until his posting rights are fixed.

Dimitris.

-------- Forwarded Message --------
Subject: 	RE: [cabf_validation] Outline of Method 1 Replacement
Date: 	Sun, 11 Mar 2018 12:11:24 +0000
From: 	Mads Egil Henriksveen <Mads.Henriksveen at buypass.no>
To: 	Wayne Thayer <wthayer at mozilla.com>, CA/Browser Forum Validation WG 
List <validation at cabforum.org>, Jonathan Rudenberg <jonathan at titanous.com>



As one of the CAs using this method I can confirm that the main 
objective for us is to avoid an excessive step. If the Applicant is 
validated according to EV, the authorization to issue is verified 
similarly and it is “beyond reasonable doubt” that the Applicant is the 
Domain Name Registrant, we don’t see that adding .2/.3 should be necessary.

To achieve this, we could require that this method is to be used for a) 
EV only or for b) EV and OV if the validation of Applicant identity and 
the authorization to issue is verified according to EVG.

We should also consider to remove the possibility of allowing the 
Applicant to include the Applicant's Parent Company, Subsidiary Company, 
or Affiliate when using this specific method.

One additional improvement we might consider is to require that the 
Applicant’s identity (and similar for Domain Name Registrant) should 
include a registration number or other disambiguating information. As 
discussed during the validation summit this would be useful for 
Norwegian organizations and domains in our national TLD-registry and 
presumably for organizations and ccTLDs in other European countries as 
well.

The outlined method with or without any combination of the above options 
will be useful for Buypass, but it would we good to hear what other CAs 
think about this.

And I suggest we change the title of the new method to ‘3.2.2.4.13 
Validating the Applicant as a *Domain Name Registrant’.*

Regards

Mads

*From:*Validation <validation-bounces at cabforum.org> *On Behalf Of *Wayne 
Thayer via Validation
*Sent:* fredag 9. mars 2018 20:23
*To:* Jonathan Rudenberg <jonathan at titanous.com>
*Cc:* CA/Browser Forum Validation WG List <validation at cabforum.org>
*Subject:* Re: [cabf_validation] Outline of Method 1 Replacement

On Fri, Mar 9, 2018 at 11:53 AM, Jonathan Rudenberg 
<jonathan at titanous.com <mailto:jonathan at titanous.com>> wrote:


    Is there a compelling reason to bring back a new version of this method?

Yes, we're asking the same question.

    It seems like any modification that adds the appropriate security
    properties would bring it very close to 3.2.2.4.2 / 3.2.2.4.3. Based
    on my understanding of the use of this method in the wild, it makes
    more sense to me for CAs to switch to .2 and .3 for domain ownership
    authorization and then do necessary additional subject validation
    with 3.2.2.1 or EVGL 11.8.3.

The obvious example to me is when the CA is already performing EV 
validation, in which case this could save a step. There are also cases 
where having a contractual relationship could make this method appealing 
to a CA. In general, while I see your point, I'm trying not to make 
assumptions.

Thanks,

Wayne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180312/b1ffc577/attachment-0001.html>


More information about the Validation mailing list