[gtld-tech] Requirements for the CA in TLS and DANE

[Francisco Arias]

Dear colleagues,

Regarding open issue I.1 What requirements should be for the CA to be used
in TLS or whether to
use DANE in the gTLD RDAP profile

In sections 1.3.3 and 1.3.4 of v12 we added a MUST for DANE support and
kept the MUST for CA requirements (already in v06 of the draft). Since
RDAP would be a new service it would seem ok to have requirements for
not-widely implemented technologies like DANE. RDAP and DANE could grow in
adoption together as RDAP is deployed. We left the MUST for the CA
requirements given the current reality of support.

In the future, we could consider removing the CA requirements once that
support for
DANE is observed in sufficient scale in RDAP.


Regarding the potential issue of certain jurisdiction requiring the use of
a CA that would not comply with the requirements set forth in the profile,
we considered that we already have a process to address cases where a
contracted party indicates that it is legally prevented by local/national
laws from complying with ICANN's requirements regarding the collection,
display and distribution of registration data. Such process could be used
in such case to seek a waiver to the requirement.

Please note that v12 in public comment is just a draft and your input is
welcome.

Regards,

-- 
Francisco.