[cabf_validation] Registrar validation method

Peter Bowen pzb at amzn.com
Thu Mar 15 08:16:04 MST 2018

As discussed at the F2F, I think we should look at add a CA/Registrar confirmation method that is a little more transparent and also works when the CA and Registrar are not affiliates.    As a starting point, I propose:

" Registrar challenge validation
Confirming the Applicant’s control over the request Domain Name by confirming the presence of a Random Value or Request Token in a response from the Domain Name Registrar or Registry received in response to a request containing an Authorization Domain Name."
This is the same text I proposed back in October (https://cabforum.org/pipermail/public/2017-October/012423.html <https://cabforum.org/pipermail/public/2017-October/012423.html> ), and Geoff Keating and Tim Hollebeek responded with some comments.  Notably Geoff wrote "I like the concept, but can we be a bit more specific than just ‘in response to a request’?  For example, can we say ‘in response to a WHOIS request for the Authorization Domain Name’?"

I’m open to suggestions on how to refine this, but one of the challenges is the chicken and egg problem — we only have half the required parties in the Forum (no registrars), so defining a specific implementation may be hard until we have a couple working implementations.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180315/615111bc/attachment.html>

More information about the Validation mailing list