Thanks. Btw it’s hard for me right now to keep up with IETF discussions, so if something relevant comes up, feel free to ping me.
Best, Henry On Wed, Feb 11, 2026 at 11:29 AM Kaizer, Andrew <akaizer= [email protected]> wrote: > Thanks for the feedback, Henry! We will work on some updates to see how > we can add some of these thoughts in. > > > > Cheers, > > Andrew > > > > > > *From: *Henry Birge-Lee <[email protected]> > *Date: *Wednesday, February 4, 2026 at 5:51 PM > *To: *"[email protected]" <[email protected]> > *Subject: *[EXTERNAL] [DNSOP] Re: Requesting feedback on > draft-ietf-dnsop-integration > > > > *Caution:* This email originated from outside the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > Hi all, > > > > I reviewed this document and think it's a good draft. > > > > One clause I noticed that I don't take issue with but wanted to comment on > is: > > 3.2. Domain Control Validation > > "Some examples of domain control > validation include storing data in DNS > [I-D.ietf-dnsop-domain-verification-techniques] or storing evidence > on a server referenced by a domain name, e.g., at a well-known > endpoint as described in [RFC8615]." > > In the PKI community, there is a subtle difference between webserver control > and DNS control. > For example, DCV methods that use evidence from web servers (e.g., http-01) > are not permitted for the use of subdomain certificates. > > Some would argue that evidence in the .well-known dir of a webserver proves > control of the HTTP(S) server at that domain but not control of the domain > itself. Since the draft is about DNS names > in applications, I think there are some applications where that type of > control (webserver control) is not appropriate (or at least would not be > sufficient evidence for the CAB/F). > > I think the cleanest stance would be to recommend control be established in > DNS and not other channels. > This text is also very vague and there are a bunch of ways of showing domain > control that we no longer think are good ideas, although vagueness does allow > the draft to avoid being prescriptive with this aspect. > > > > > > Best, > > Henry > > > > https://henrybirgelee.com/ > <https://secure-web.cisco.com/1AYzvi9b-p39u_rHDb8SSgJbxfPuDWJQ60J_1zX9eKA2XUFEd7bvMVGFoUvs4LrmbvQbt8VKb7kiEPRobyJZZjF0FJ1KtQZOBYPLRBD8IAVocqNeL4_0mZLfKPf1ITPi9nH6_raH1Ox9MpPrQ_828i_uGjV81s9J3bfiVdxYbLer303Ew5yU_Oe_TYlLOPjr1hQ5leUo7IkgflRsDxwLThgt24RzDC4jWyXZMQyCXhjuA6XDXGMyrutUaObOqxDEFgzfEbdX1cbKgYAFYzGRr6HzquZ_npnEm9joqa3KI9Mc/https%3A%2F%2Fhenrybirgelee.com%2F> > >
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
