MPIC - Clarify that only methods specified need to utilize MPIC, not all methods #556
Labels
clean-up
Items for future clean-up ballot
Comments
|
This issue was created based on:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The TLS BRs state in several locations: “CAs using this method MUST implement Multi-Perspective Issuance Corroboration as specified in Section 3.2.2.9. To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective.”
It’s been my interpretation, that only sections and methods that include this text, need to follow the MPIC requirements, so that which we call “Constructed Email to Domain Contact” (3.2.2.4.4), does not. (Please correct me if I’m wrong on this interpretation).
However, when looking at the language that is included and quoted above, the “CAs using this method MUST implement Multi-Perspective Issuance Corroboration” bit, could be interpreted as “If you as a CA support this method, you need to implement MPIC on all DCV methods in the BRs”.
Having discussed with @ryancdickson, he's proposed we could update this to:
Validations using this method MUST implement Multi-Perspective Issuance Corroboration as specified in Section 3.2.2.9. To count as corroborating, a Network Perspective MUST observe the same challenge information (i.e. Random Value or Request Token) as the Primary Network Perspective.
The text was updated successfully, but these errors were encountered: