<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jan 22, 2014 at 9:31 AM, Rich Smith <span dir="ltr"><<a href="mailto:richard.smith@comodo.com" target="_blank">richard.smith@comodo.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal">
<span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Ryan,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I'm a little confused. Are you implying that the Domain Auth Document, alone of the methods listed in 11.1.1, would allow re-use for up to 39 months as per 11.3 in this case? I'm not sure I understand the reasoning there. In case it wasn't completely clear, the trouble we see is specifically the wording in 11.1.1 that says "...as of the date the Certificate was issued..." Your suggestion that a Domain Auth Letter would solve the problem leads me to the conclusion that you agree with my original interpretation that 11.3 DOES apply to 11.1.1 just it it applies to everything else in 11.1, "...as of the date the Certificate was issued..." notwithstanding. If it can be applied to one option in 11.1.1 then it can be applied to all, and we can close this discussion and move on. If the consensus is that "...as of the date the Certificate was issued..." in 11.1.1 does not necessarily apply to EVERY certificate issued to an Enterprise RA, then the problem is solved. We had some disagreement internally over this and came to the conclusion that the language is unclear, so I started this discussion.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">All I'm trying to accomplish is to allow an Enterprise RA client, once domain control of <a href="http://example.com" target="_blank">example.com</a> is established, to allow that to carry forward for some specified amount of time so that they don't have to re-verify domain control for every subsequent request for a certificate for sub-domains of <a href="http://example.com" target="_blank">example.com</a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Given that we have already specified max validity of collected data at 39 months in Section 11.3, I would prefer to stick with that and simply clarify the wording. I believe that was the intent when all this was originally written, but that it wasn't put down in clear language. I can point to bits of language in various sections that support that conclusion.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> If the consensus is that 39 months is too long of a max validity for this particular bit of data, fine, give me a max validity that you are comfortable with.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">-Rich</span></p>
</div></div></blockquote><div><br></div><div><br></div><div>Rich,</div><div><br></div><div>I wasn't trying to suggest that 11.3 applies to 11.1. Rather, I was trying to indicate that, _at time of issue_, the CA can examine a Domain Authorization Document. The second paragraph of 11.1.1 would apply when using a Domain Authorization Document, namely</div>
<div><br></div>"The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the<br>certificate request date or (ii) used by the CA to verify a previously issued certificate and that the Domain Name’s<br>
WHOIS record has not been modified since the previous certificate’s issuance."<br></div><div class="gmail_quote"><br></div><div class="gmail_quote">This accomplishes the primary goal - demonstrating that the Enterprise RA is still authorized to direct issuance of names within their verified domain namespace (14.2.4) - without requiring a 'live' validation check every time.</div>
<div class="gmail_quote"><br></div><div class="gmail_quote">To be clear, I definitely believe that the wording of 11.1.1 is specifically to *exempt* it from 11.3 - that is, 11.3 applies to all the other information (eg: country, organization name, other verified subject information), but MUST NOT apply to the domain, which MUST be checked at time of issuance. A "Domain Authorization Document" provides a means - independent of 11.3 - to 'cache' that.</div>
</div></div>