[cabf_validation] Using 3.2.2.4.2/.3 for future domains

Peter Bowen pzb at amzn.com
Thu Mar 15 09:28:03 MST 2018


From the discussions of CA use cases where they were using 3.2.2.4.1, it seems that we might be able to cover a number of these by clarifying 3.2.2.4.2/.3.

Specifically, the BRs currently say:

"Each email, fax, SMS, or postal mail MAY confirm control of multiple Authorization Domain Names. […] MUST be sent to an email address, fax/SMS number, or postal mail address identified as a Domain Contact.”

"Each phone call SHALL be made to a single number and MAY confirm control of multiple FQDNs, provided that the phone number is identified by the Domain Registrar as a valid contact method for every Base Domain Name being verified using the phone call"

What is unclear is whether an an email, fax, SMS, postal mail, or phone call MAY be used to confirm approval for an unbounded set of domains names which have that method as a contact method.  For example, can a CA email hostmaster at example.com and say “Will you approve Bob to get a certificate for _any_ domain which has hostmaster at example.com as a Domain Contact, including domains not yet registered but which are registered in the future with hostmaster at example.com as a Domain Contact?”  This authorization is subject the aging requirements already in the BRs.

If this is allowed, it would seem to cover the use case of adding domains to an existing applicant/subscriber account without requiring a new communication with the domain contact for each domain.  This was the primary use case that I heard for 3.2.2.4.1 (1) & (2).

Thanks,
Peter


More information about the Validation mailing list