So generally speaking, at this point there is little/no support for adding to purpose beyond the case for EV?

-Carlton


==============================
Carlton A Samuels
Mobile: 876-818-1799
Strategy, Planning, Governance, Assessment & Turnaround
=============================

On Thu, Oct 19, 2017 at 10:38 PM, David Cake <dave@davecake.net> wrote:
Thank you to those that managed to make it to our Adobe Connect meeting today, 

We used the document Alex supplied as our initial basis for discussions.

We also looked at the CAB Forum Guidelines For The Issuance And Management Of Extended Validation Certificates
https://cabforum.org/wp-content/uploads/EV-V1_6_5.pdf

We discussed the different methods of validation, etc. Some methods of certificate validation focus only on demonstrating that the certificate applicant is in control of the domain, this includes the ACME protocol used by Lets Encrypt!, and these methods use the DNS directly, but do not use the RDS at all. We agreed that we did not feel that discussing the value of various forms of validation was largely outside of our scope, and had limited value. Validation that does not require access of personally identifying information exists, but by its nature does not act as a purpose for accessing the RDS. 

We chose to focus on the Extended Validation certificate case. The case of Extended Validation extends beyond the DNS and is designed to identify certificate ownership by a particular legal identity, so has a clear case to access identifying data. We discussed the Guidelines in detail, and noted that it was not an absolute necessity to use information from the RDS to validate identity for an EV - while an EV required validation of domain ownership, this could be performed solely via the DNS if necessary, and while an EV required validation of identify, this did not necessarily require use of identifying information from the RDS to perform. However, identifying information in the RDS could improve the practicality and quality of validation, and was used practically by many CAs in their normal course of business and was very practical for many reasons. We discussed that consent to accessing identifying information was implicit in requesting an EV certificate.

We generally did not feel that DNS Certification was a necessary purpose for collection of personally identifying data. Regular use of a domain name is possible without certification, or limited certification is possible without RDS data. But the EV Certificate case was a notable purpose for access of existing personally identifying data. 

Any comments, corrections, additions, or follow up?

David

_______________________________________________
Gnso-rds-pdp-3 mailing list
Gnso-rds-pdp-3@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-3