[cabf_validation] Using 22.214.171.124.2/.3 for future domains
pzb at amzn.com
Thu Mar 15 09:28:03 MST 2018
From the discussions of CA use cases where they were using 126.96.36.199.1, it seems that we might be able to cover a number of these by clarifying 188.8.131.52.2/.3.
Specifically, the BRs currently say:
"Each email, fax, SMS, or postal mail MAY confirm control of multiple Authorization Domain Names. […] MUST be sent to an email address, fax/SMS number, or postal mail address identified as a Domain Contact.”
"Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call"
What is unclear is whether an an email, fax, SMS, postal mail, or phone call MAY be used to confirm approval for an unbounded set of domains names which have that method as a contact method. For example, can a CA email hostmaster at example.com and say “Will you approve Bob to get a certificate for _any_ domain which has hostmaster at example.com as a Domain Contact, including domains not yet registered but which are registered in the future with hostmaster at example.com as a Domain Contact?” This authorization is subject the aging requirements already in the BRs.
If this is allowed, it would seem to cover the use case of adding domains to an existing applicant/subscriber account without requiring a new communication with the domain contact for each domain. This was the primary use case that I heard for 184.108.40.206.1 (1) & (2).
More information about the Validation