[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft (2)
sleevi at google.com
Mon Apr 24 09:04:37 MST 2017
On Mon, Apr 24, 2017 at 10:24 AM, Peter Bowen <pzb at amzn.com> wrote:
> 188.8.131.52.2: same as .1
> How do you argue this? The random value must be unique and cannot be
> reused > 30 days, so the documents and data obtained would need to be
> I’m not suggesting to reuse the random value itself. I’m reusing the
> documentation created when I verified the random value within 30 days of
I see. That's an interesting definition of documentation that I did not
believe was supported through the text.
Could you expand on what you see this definition including? That is, I
think suggesting that "the act of verifying" is equivalent to "producing
documentation", and such documentation can be reused, is somewhat
problematic and inconsistent with the text, but perhaps I've misunderstood.
> And I suppose the interpretation that I'm taking is that 184.108.40.206 doesn't
> enumerate ADN, but does enumerate FQDN, and the confirmation applies to the
> FQDN, not the ADN, even if the FQDN was confirmed using an ADN. Because of
> this, "completed confirmations" refers to the FQDN - so you can reissue
> certificates for the same names, but you cannot add new names, even if an
> ADN is used.
> On first reading, I was inclined to support your interpretation (if we
> made it explicitly worded), but one problem with that interpretation is the
> intersection with CAA. If we allow the ADN authorization to be reused, then
> it allows bypassing the CAA checks for the FQDN, does it not? Or would you
> agree that 220.127.116.11 applies regardless of the reuse of information - that
> every FQDN must have CAA checked, regardless if authority was validated
> using a (reused) ADN validation?
> Where do you see 18.104.22.168 says you can skip it? I’m trying to take your
> view that one runs the validation workflow (flowchart) each time you issue,
> but the inputs may have been collected on a previous validation run.
Using your definition that the act of verifying the ADN is producing
documentation, why wouldn't the act of verifying CAA be equivalent to
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public