On Tue, 24 Sep 2024 07:48:00 +0000 Martijn Katerbarg via Servercert-wg <[email protected]> wrote:
> >I also wanted to ask in general, why does WHOIS based validation not > >fall under the same rules as a delegated third party for domain > >validation? > > In my personal opinion (but perhaps others have a different opinion > on this), because there needs to be a source of truth, for the same > reason we do allow DNS, and by that any, validation. > > With any DCV method, a third party is always used. And by that I do > not mean using 8.8.8.8 or 1.1.1.1 for DNS queries, that obviously is > a not-allowed practice. However, I’d claim that the > *.root-servers.net are still a third party. We just see it as the > single source of truth for DNS and walk the tree from there. (And > that list of authorized servers, is also maintained by IANA: > https://www.iana.org/domains/root/servers > <https://www.iana.org/domains/root/servers>). Yes, exactly this. The problem with delegated third parties (like 8.8.8.8) is that the CA is relying on another party to check the source of truth. It's OK for the CA to check the source of truth itself, even if the source of truth is a third party. Indeed, it's unavoidable with DCV because of how the domain system works. Regards, Andrew _______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
