<p dir="ltr"></p>
<p dir="ltr">On Aug 4, 2016 11:56 PM, "Adriano Santoni" <<a href="mailto:adriano.santoni@staff.aruba.it">adriano.santoni@staff.aruba.it</a>> wrote:<br>
><br>
> Ok,. but what is (was) the ratio for that constraint?</p>
<p dir="ltr">I can't answer that. I can only answer what the text says, which prohibits what you want.</p>
<p dir="ltr">><br>
> Assume the following:<br>
><br>
> 1) A certain company (say "ACME Corp") owns/controls several 2nd level domains (two or more).<br>
><br>
> 2) That company wants EV certificates, from a certain CA, for two or more of those domains, or possibly all of them.<br>
><br>
> 3) The same company would like to be authorized as an Enterprise RA by the said CA.<br>
><br>
> Now assume that the said CA, first of all, verifies (with _positive result_) that *all* of those domains are actually owned/controlled by ACME.<br>
><br>
> Next, the CA verifies that all requirements for issuing the first EV certificate (for any one of those domains) are met, and therefore issues the first EV certificate.</p>
<p dir="ltr">For xxx.example. From your description, at no point has a yyy.example certificate been publicly issued, correct?</p>
<p dir="ltr">><br>
> At this point, why should ACME not be allowed to act as an Enterprise RA and thus obtain by themselves (in compliance with all applicable reqs. for Enterprise RAs) the desired EV certificates for the remaining 2nd level domains ? <br>
><br>
> What would be the implied risk of allowing that?<br>
><br>
> Adriano<br>
><br>
><br>
><br>
> Il 04/08/2016 23:24, Ryan Sleevi ha scritto:<br>
>><br>
>> You're saying the original certificate is xxx.example, and the new certificate is for xxx.example and yyy.example?<br>
>><br>
>> No, it would not be appropriate, because yyy.example was not "contained within the domain of the original EV certificate"<br>
>><br>
>> On Thu, Aug 4, 2016 at 6:19 AM, Adriano Santoni <<a href="mailto:adriano.santoni@staff.aruba.it">adriano.santoni@staff.aruba.it</a>> wrote:<br>
>>><br>
>>> All,<br>
>>><br>
>>> I have a doubt regarding §14.2 of EV guidelines, and particularly §14.2.2 (Enterprise RAs) that reads: <br>
>>><br>
>>> "The CA MAY contractually authorize the Subject of a specified Valid EV Certificate to perform the RA function and authorize the CA to issue additional EV Certificates at third and higher domain levels that are contained within the domain of the original EV Certificate (also known as an Enterprise EV Certificate). In such case, the Subject SHALL be considered an Enterprise RA, and the following requirements SHALL apply: ..."<br>
>>><br>
>>> Now, let's assume that a certain company owns/controls two or more domains, say <a href="http://xxx.com">xxx.com</a> and <a href="http://yyy.net">yyy.net</a>, and that the "original EV Certificate" (quoted from above) was issued by the CA for any one of those domains (say <a href="http://xxx.com">xxx.com</a>): under these conditions, would it be okay to authorize that company to act as an Enterprise RA for the remaining 2nd-level domains that it owns/controls ?<br>
>>><br>
>>> Based on §14.2.2, it seems not.<br>
>>><br>
>>> Adriano<br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> Public mailing list<br>
>>> <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
>>> <a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><br>
>>><br>
>><br>
><br>
> -- <br>
><br>
> Cordiali saluti,<br>
><br>
> Adriano Santoni<br>
> ACTALIS S.p.A.<br>
> (Aruba Group)<br></p>