Thanks! The reason I asked -- I'm finalizing the Mozilla Root Store Policy v. 2.9, and I'm thinking of referencing "3.2.2" as a way to broadly cover the validation of information that might go in a name-constrained sub CA. Thanks again, Ben
On Tue, Aug 8, 2023 at 2:17 PM Stephen Davidson < stephen.david...@digicert.com> wrote: > Hi Ben: > > > The reference to Section 3.2.2.3 goes with the "or has been authorized by > the domain registrant to act on the registrant's behalf" part only. The > typical verification of the domain under active control of the registrant > would be done via Section 3.2.2.1. > > > > A possible clarification might be phrased as: > > > > "The CA SHALL confirm that the Applicant has registered the FQDN contained > in the rfc822Name* in line with the verification practices of Section > 3.2.2.1, *or has been authorized by the domain registrant to act on the > registrant’s behalf in line with the verification practices of Section > 3.2.2.3." > > > > Best, Stephen > > > > > > *From:* Smcwg-public <smcwg-public-boun...@cabforum.org> *On Behalf Of *Ben > Wilson via Smcwg-public > *Sent:* Tuesday, August 8, 2023 4:56 PM > *To:* SMIME Certificate Working Group <smcwg-public@cabforum.org> > *Subject:* [Smcwg-public] Validation of Information for Name-Constrained > SubCAs > > > > Does anyone recall offhand why section 7.1.5 doesn't also refer to section > 3.2.2.1? > > > > Section 7.1.5 says, "The CA SHALL confirm that the Applicant has > registered the FQDN contained in the rfc822Name or has authorized by the > domain registrant to act on the registrant’s behalf in line with the > verification practices of Section 3.2.2.3." Section 3.2.2.3 is > "Validating applicant as operator of associated mail server(s)", and > section 3.2.2.1 is "Validating authority over mailbox via domain." Was > there a concern that 3.2.2.1 was too broad and that validation had to be > done pursuant to section 3.2.2.3? And what about section 3.2.2.2 > (validating control over mailbox via email). > > > > Thanks, > > > > Ben >
_______________________________________________ Smcwg-public mailing list Smcwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/smcwg-public