uspki/policies

Section 3.2.2.4 and 3.2.2.6 consistency

Closed this issue · 2 comments

Comment received (DoD):

  • Fix inconsistency between Sections 3.2.2.4 and 3.2.2.6:
  • In Section 3.2.2.6, replace, “All wildcard FQDNs included in a certificate shall require validation by Section 3.2.2.4.7 DNS Change, or Section 3.2.2.4.5 Domain Authorization Document signed by the Domain Contact…” WITH “All wildcard FQDNs included in a certificate shall require validation by either Section 3.2.2.4.7 DNS Change, or Section 3.2.2.4.12 Validating Applicant as a Domain Contact signed by the Domain Contact…”
  • Consider changing 3.2.2.4 to point to 3.2.2.6 rather than both stating the same requirement.

Similar comments offered by Treasury:

Issue:

  • There Inconsistencies between 3.2.2.4 and 3.2.2.6:
  • Text from 3.2.2.4 – “Wildcard FQDNs are not allowed to be validated using Section 3.2.2.4.6 Agreed Upon Change to Website. All wildcard domain names included in a certificate shall require validation by either Section 3.2.2.4.7 DNS Change, or Section 3.2.2.4.12 Validating Applicant as a Domain Contact signed by the Domain Contact authorizing the issuing of a certificate to include the wildcard FQDN.”
  • Text from 3.2.2.6 – “Wildcard FQDNs are not allowed to be validated using Section 3.2.2.4.6 Agreed Upon Change to Website or Section 3.2.2.4.10 TLS Using a Random Number. All wildcard FQDNs included in a certificate shall require validation by Section 3.2.2.4.7 DNS Change, or Section 3.2.2.4.5 Domain Authorization Document signed by the Domain Contact authorizing the issuing of a certificate to include the wildcard FQDN.”
  • NOTE: 3.2.2.4.5 says “This validation method defined by the Baseline Requirements is not allowed under this CP.”

Recommendation:

  • Recommend, the language in 3.2.2.6 reference to “3.2.2.4.5 Domain Authorization Document signed by the Domain Contact authorizing the issuing of a certificate to include the wildcard FQDN” be changed to “3.2.2.4.12 Validating Applicant as a Domain Contact signed by the Domain Contact authorizing the issuing of a certificate to include the wildcard FQDN”.
  • NOTE: We think the easiest approach to addressing the inconsistencies is to have the text in 3.2.2.4 written to simply reference sections 3.2.2.6 directly. This would reduce the potential for inconsistencies.

Incorporated into future CP update.