<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">Man Ho, I am a little bit confused by what
you say.</font><font face="Calibri"> It does not seem to answer
my question.</font><br>
</p>
<font face="Calibri">If the same company controls, say, 5 different
2nd-level domains, should the CA require that company to </font><font
face="Calibri"><font face="Calibri">sign 5 agreements</font>, all
containing exactly the same data? <br>
<br>
And should the CA verify 5 times the same company data (in
addition to the domain control verification that -of course- must
be made 5 times) ?<br>
<br>
If this is actually the case, then again I would like to better
understand the reasoning that backs this requirement in the EV
guidelines...<br>
</font>
<p>Adriano</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">Il 05/08/2016 09:54, Man Ho (Certizen)
ha scritto:<br>
</div>
<blockquote
cite="mid:472a86ae-9642-15bf-60e5-a2e303f8b9e2@certizen.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p>Allowing a RA to be the same person of the applicant is by
principle a conflict of interest. It is no difference from a
self-sign certificate, like CA trusting itself.</p>
<p>But I think Section 14.2.2 is just written for an exception to
this conflict such that when the subscriber of the original EV
certificate is also CONTRACTUALLY authorized by the CA to act as
a Enterprise RA, the subscriber can issue (or authorise CA to
issue) EV certificate at the higher domain levels, (a.k.a.
Enterprise EV certificate).</p>
<p>In this case, the CA may follow its EV verification procedure
to issue two Enterprise EV certificates for xxx.com and yyy.net.
Then sign a Enterprise RA agreement with ACME for issuing
additional Enterprise EV certificates at third and higher domain
levels. What is the problem of doing this way? <br>
</p>
<br>
<div class="moz-cite-prefix">On 8/5/2016 2:58 PM, Adriano Santoni
wrote:<br>
</div>
<blockquote
cite="mid:47b001ae-f384-b757-e9de-d69b5a9b7517@staff.aruba.it"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p><font face="Calibri">Ok,. but what is (was) the ratio for
that constraint?</font></p>
<p><font face="Calibri">Assume the following:</font></p>
<p><font face="Calibri">1) A certain company (say "ACME Corp")
owns/controls several 2nd level domains (two or more).</font></p>
<p><font face="Calibri">2) That company wants EV certificates,
from a certain CA, for two or more of those domains, or
possibly all of them.</font></p>
<p><font face="Calibri">3) The same company would like to be
authorized as an Enterprise RA by the said CA.<br>
</font></p>
<p><font face="Calibri">Now assume that the said CA, first of
all, verifies (with _positive result_) that *all* of those
domains are actually owned/controlled by ACME.<br>
</font></p>
<p><font face="Calibri">Next, the CA </font><font
face="Calibri">verifies that all requirements for issuing
the first EV certificate (for any one of those domains) are
met, and therefore issues the first EV certificate.</font></p>
<p><font face="Calibri">At this point, why should ACME not be
allowed to act as an Enterprise RA and thus obtain by
themselves (in compliance with all applicable reqs. for
Enterprise RAs) the desired EV certificates for the
remaining 2nd level domains ? <br>
</font></p>
<font face="Calibri">What would be the implied risk of allowing
that?<br>
</font>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"> </font><br>
</p>
<br>
<div class="moz-cite-prefix">Il 04/08/2016 23:24, Ryan Sleevi ha
scritto:<br>
</div>
<blockquote
cite="mid:CACvaWvY3fbxEdVS-Dvmd4suSivLHepUzcz0se07sKPWeO_tthA@mail.gmail.com"
type="cite">
<div dir="ltr">You're saying the original certificate is
xxx.example, and the new certificate is for xxx.example and
yyy.example?
<div><br>
</div>
<div>No, it would not be appropriate, because yyy.example
was not "contained within the domain of the original EV
certificate"</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 4, 2016 at 6:19 AM,
Adriano Santoni <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank">adriano.santoni@staff.aruba.it</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">All,</font></p>
<p><font face="Calibri">I have a doubt regarding §14.2
of EV guidelines, and particularly §14.2.2
(Enterprise RAs) that reads: <br>
</font></p>
<font face="Calibri">"The CA MAY contractually
authorize the Subject of a specified Valid EV
Certificate to perform the RA function and</font><font
face="Calibri"> authorize the CA to issue additional
EV Certificates at third and higher domain levels
that are contained within the domain</font><font
face="Calibri"> of the original EV Certificate (also
known as an Enterprise EV Certificate). In such
case, the Subject SHALL be considered</font><font
face="Calibri"> an Enterprise RA, and the following
requirements SHALL apply: ..."</font>
<p><font face="Calibri">Now, let's assume that a
certain company owns/controls two or more domains,
say <a moz-do-not-send="true"
href="http://xxx.com" target="_blank">xxx.com</a>
and <a moz-do-not-send="true"
href="http://yyy.net" target="_blank">yyy.net</a>,
and that the "original EV Certificate" (quoted
from above) was issued by the CA for any one of
those domains (say <a moz-do-not-send="true"
href="http://xxx.com" target="_blank">xxx.com</a>):
under these conditions, would it be okay to
authorize that company to act as </font><font
face="Calibri">an Enterprise RA for the remaining
2nd-level domains that it owns/controls ? </font></p>
Based on §14.2.2, it seems not.<span class="HOEnZb"><font
color="#888888"><br>
<br>
Adriano<br>
<br>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif"> Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif">
Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</body>
</html>