[cabf_validation] Updates to Method 3

Ryan Sleevi sleevi at google.com
Fri May 11 12:40:04 MST 2018


On Fri, Apr 20, 2018 at 4:06 PM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

> Yes, the format looks to have been dropped when you opened it (the one I
> received did have some formatting included).  Regardless, the proposed text
> is in the linked google Doc and is one way for the collaboration to happen.
>
>
>
> When you saw “Authorization Domain Name FQDN”, I added “Authorization
> Domain Name” and lined out “FQDN”
>
>
>
> The main question I wanted to ask was that when you validate a FQDN using
> an ADN (or the “thing” that’s registered with the Domain Name Registrar),
> it’s the ADN/”thing registered with the Registrar” that can be re-used for
> subsequent issuance, right?
>

The ADN may be the FQDN, it may be the registered name, or it may be any
number of DNS labels in between. It's the ADN that is reused. Thus if you
validated "subdomain.example.com" as the ADN, that only authorizes for
labels at-or-below subdomain.example.com in the DNS hierarchy, and no
domains with 'fewer' labels (e.g. "example.com")

It's a slight wording tweak to call out :)


>
>
> I agree, we need to nuke the Notes, they are not always accurate and are
> irrelevant.
>
>
>
> Doug
>
>
>
>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, April 20, 2018 3:58 PM
> *To:* Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum
> Validation WG List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] Updates to Method 3
>
>
>
>
>
>
>
> On Fri, Apr 20, 2018 at 2:59 PM, Doug Beattie via Validation <
> validation at cabforum.org> wrote:
>
> I'm working on updating Method 3, per the Validation Summit meeting.
>
> It currently says:
>
> Confirming the Applicant's control over the FQDN by calling the Domain
> Name Registrant's phone number and obtaining a response confirming the
> Applicant's request for validation of the FQDN. The CA MUST place the call
> to a phone number identified by the Domain Name Registrar as the Domain
> Contact.
>
> Each phone call SHALL be made to a single number and MAY confirm control
> of multiple FQDNs, provided that the phone number is identified by the
> Domain Registrar as a valid contact method for every Base Domain Name being
> verified using the phone call.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN.  This method is suitable for validating Wildcard Domain
> Names.
>
> We're looking to make a few changes, see:
>
>   *   https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_
> cRsHncvkhlrcR10/edit#
> <https://docs.google.com/document/d/1aJiOzYVTpoAPVWDucnp20cTO2PR_cRsHncvkhlrcR10/edit>
>
> The main question I have is, why is there no mention of ADN in this
> method?  It seems like you should be able to use the phone number of the
> ADN, and that you should be able to re-use this validation for any other
> FQDN that ends with the ADN.
>
>
>
> I'm not really sure I understand the question. WHOIS is not tied to
> FQDN/ADN, but through communication with the Domain Name Registrar.
>
>
>
> If it's the "Note:" part, well, that's because some members felt it was
> appropriate to duplicate informatively what is normatively specified
> elsewhere.
>
>
>
> Are there any issues I'm missing with this suggestion?  The Yellow items
> are important for this question, the other changes are for other
> recommended changes.
>
>
>
> I'm not sure what Yellow items you're referring to. Perhaps your mail
> client is misconfigured?
>
>
>
> In general, this is where collaborating on GitHub for actual proposed
> changes may make more effective collaboration.
>
>
>
> As far as terminology, it seems like a very poor language choice to say
> "Authorization Domain Name FQDN", and may highlight the misunderstanding
> about what an ADN is.
>
>
>
> Confirming the Applicant's control over the FQDN by calling the Domain
> Contact's phone number and obtaining a response confirming the Applicant's
> request for validation of the Authorization Domain Name FQDN. The CA MUST
> place the call to a phone number identified by the Domain Name Registrar as
> the Domain Contact.
>
> Each phone call SHALL be made to a single number and MAY confirm control
> of multiple FQDNs, provided that the phone number is identified by the
> Domain Registrar as a valid contact method for every FQDN Authorization
> Domain Name being verified using the phone call.
>
> In the event of a phone transfer, you can only be transferred to a Domain
> Contact.  In the event of reaching voicemail, a Random Value shall be left
> and the Domain contact may return that to the CA via Phone, Email, Fax, or
> SMS to approve the domain within 30 days of the voicemail.
>
> Note: Once the FQDN has been validated using this method, the CA MAY also
> issue Certificates for other FQDNs that end with all the labels of the
> validated FQDN Authorization Domain Name.  This method is suitable for
> validating Wildcard Domain Names.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180511/0b658f59/attachment.html>


More information about the Validation mailing list