BRs: Clarify what "an appropriate way" means for wildcards and gTLDs

[sleevi]

BRs 3.2.2.6 includes the following language:

CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace.

A CA is not prohibited from issuing a Wildcard Certificate to the Registrant of an entire gTLD, provided that control of the entire namespace is demonstrated in an appropriate way.

This language should be clarified, with reference to specific validation procedures, how to determine "rightful control" and "in an appropriate way". Practically speaking, this means a validation of domain control using a method that modifies DNS at the FQDN level (that is, where the ADN == FQDN == Public Suffix). An e-mail based demonstration of control using WHOIS data, a direct modification of a record on the 'bare' FQDN (and not any underscore prefix), etc.

[barrini]

@dzacharo Dimitris, as per F2F 60, I assigned this issue to you.

[dzacharo]

Following up on the discussion at F2F#60, the question raised was what’s considered "an appropriate way"?

Since this issue was opened, the SCWG has defined which Domain Validation Methods from section 3.2.2.4 are applicable to Wildcard Domain Name validation. These are namely:

• 3.2.2.4.2
• 3.2.2.4.4
• 3.2.2.4.7
• 3.2.2.4.12
• 3.2.2.4.13
• 3.2.2.4.14
• 3.2.2.4.15
• 3.2.2.4.16
• 3.2.2.4.17

If there are no objections, we could prepare a ballot to clarify that only methods allowed to validate Wildcard Domain Names are considered appropriate for section 3.2.2.6.

[dzacharo]

During the SCWG teleconference of 2024-04-25 it was discussed that the "appropriate way" in 3.2.2.6 could be as easy as replacing with the methods in 3.2.2.4 allowed for wildcard. @timfromdigicert will check if these methods can actually be used for gTLDs to prove control of the Domain Namespace.