delegated additional domain validation lookup

405 views
Skip to first unread message

Seo Suchan

unread,
Jul 31, 2023, 9:51:30 AM7/31/23
to dev-secur...@mozilla.org
assume CA do domain validation by itself in parallel, can it ask 3rd
party service to assert if they see the same token and reject order if
3rd party couldn't see it?

wonder if it's delegating part of domain validation or can be considered
like additional checks like if customer paid or not.

for example, for agreed-upon change to website v2, it doesn't hurt to
see if a CA check over a 3rd party monitors to test if they see the same
page as over CA's own network, isn't it?

Corey Bonnell

unread,
Jul 31, 2023, 10:05:57 AM7/31/23
to Seo Suchan, dev-secur...@mozilla.org
Hi Seo,
A CA must fulfill its obligation to perform domain validation as defined in BR
3.2.2.4 using a Certificate System that is audited under the NCSSRs.
Additional checks would be considered a High Risk check, and there is no
prohibition on the delegation of such High Risk checks. So, I believe such
checking is compliant with the BRs (and MRSP).

Thanks,
Corey
--
You received this message because you are subscribed to the Google Groups
"dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to dev-security-po...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6a9a5f18-03ab-d9db-2314-5251eedb6b3b%40gmail.com.
Reply all
Reply to author
Forward
0 new messages