[cabf_validation] Fwd: RE: Outline of Method 1 Replacement
Adriano Santoni
adriano.santoni at staff.aruba.it
Mon Mar 12 04:10:03 MST 2018
Hi,
see my comments in-line >>
Il 12/03/2018 10:34, Dimitris Zacharopoulos via Validation ha scritto:
> Posting on behalf of Mads until his posting rights are fixed.
>
> Dimitris.
>
> -------- Forwarded Message --------
> Subject: RE: [cabf_validation] Outline of Method 1 Replacement
> Date: Sun, 11 Mar 2018 12:11:24 +0000
> From: Mads Egil Henriksveen <Mads.Henriksveen at buypass.no>
> To: Wayne Thayer <wthayer at mozilla.com>, CA/Browser Forum Validation
> WG List <validation at cabforum.org>, Jonathan Rudenberg
> <jonathan at titanous.com>
>
>
>
> As one of the CAs using this method I can confirm that the main
> objective for us is to avoid an excessive step. If the Applicant is
> validated according to EV, the authorization to issue is verified
> similarly and it is “beyond reasonable doubt” that the Applicant is
> the Domain Name Registrant, we don’t see that adding .2/.3 should be
> necessary.
>
>> I agree. In our case, and I am sure the same holds for many other
CAs, there are many situations where the Applicant's ownership of a
domain can be ascertained beyond any reasonable doubt by examining WHOIS
records and cross-checking with the Applicant over a reliable
communication channel or possibly face-to-face (in front of a CA
salesperson), without any need to technically interact with the domain's
HTTP server or DNS server or to send emails to the domain's
administrator. The fact (which is unquestionable) that in certain
countries and/or with certain request channels the above is not always
true, does not seem a good reason to abolish this method.
>
> To achieve this, we could require that this method is to be used for
> a) EV only or for b) EV and OV if the validation of Applicant identity
> and the authorization to issue is verified according to EVG.
>
>> Could you specify the exact EVG sections that would apply in this
scenario, in the OV case ?
>
> We should also consider to remove the possibility of allowing the
> Applicant to include the Applicant's Parent Company, Subsidiary
> Company, or Affiliate when using this specific method.
>
>> I am unclear why are you suggesting this... could you please elaborate?
>
> One additional improvement we might consider is to require that the
> Applicant’s identity (and similar for Domain Name Registrant) should
> include a registration number or other disambiguating information. As
> discussed during the validation summit this would be useful for
> Norwegian organizations and domains in our national TLD-registry and
> presumably for organizations and ccTLDs in other European countries as
> well.
>
>> I agree, and I would also require the Registrant's full address in
the whois record for this latter to be acceptable.
>
> The outlined method with or without any combination of the above
> options will be useful for Buypass, but it would we good to hear what
> other CAs think about this.
>
>> I agree.
>
> And I suggest we change the title of the new method to ‘3.2.2.4.13
> Validating the Applicant as a *Domain Name Registrant’.*
>
>> As there can only be one registrant at any given time, I would
rather say "_the_ Domain Name Registrant".
>
> Regards
>
> Mads
>
> *From:*Validation <validation-bounces at cabforum.org> *On Behalf Of
> *Wayne Thayer via Validation
> *Sent:* fredag 9. mars 2018 20:23
> *To:* Jonathan Rudenberg <jonathan at titanous.com>
> *Cc:* CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Outline of Method 1 Replacement
>
> On Fri, Mar 9, 2018 at 11:53 AM, Jonathan Rudenberg
> <jonathan at titanous.com <mailto:jonathan at titanous.com>> wrote:
>
>
> Is there a compelling reason to bring back a new version of this
> method?
>
> Yes, we're asking the same question.
>
> It seems like any modification that adds the appropriate security
> properties would bring it very close to 3.2.2.4.2 / 3.2.2.4.3.
> Based on my understanding of the use of this method in the wild,
> it makes more sense to me for CAs to switch to .2 and .3 for
> domain ownership authorization and then do necessary additional
> subject validation with 3.2.2.1 or EVGL 11.8.3.
>
> The obvious example to me is when the CA is already performing EV
> validation, in which case this could save a step. There are also cases
> where having a contractual relationship could make this method
> appealing to a CA. In general, while I see your point, I'm trying not
> to make assumptions.
>
> Thanks,
>
> Wayne
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180312/67b1f45c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4025 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/validation/attachments/20180312/67b1f45c/attachment-0001.p7s>
More information about the Validation
mailing list