<div dir="ltr">Adriano,<div><br></div><div>It might be useful if you could explain more why you believe the text disagrees with Kirk, Peter and I. The goal is not to leave these things up to interpretation, and so if you believe a plain reading of the text supports an alternative understanding different from what we said, understanding why you believe that will be quite important.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 24, 2016 at 2:44 AM, Adriano Santoni <span dir="ltr"><<a href="mailto:adriano.santoni@staff.aruba.it" target="_blank">adriano.santoni@staff.aruba.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">Kirk,</font></p>
<p><font face="Calibri">thank you for your contribute. <br>
</font></p>
<p><font face="Calibri">If the "correct interpretation" of the EVGL
is actually the one you give below, than it makes sense. <br>
</font></p>
<p><font face="Calibri">But I see that even you are expressing some
uncertanty (</font><font face="Calibri"><font face="Calibri">"looks
like"... "in my opinion" </font>...) so I really would like
to understand whether your interpretation is shared by most CA
members, as I hope. <br>
</font></p>
<p><font face="Calibri">If your intepretation is correct, I think
that the EVGLs are worth improving, for better clarity.<br>
</font></p>
<p><font face="Calibri">On the other hand, the notion that an
Enterprise RA can only authorize issuance of EV certs for
sub-domains seems weird to me. <br>
I wonder how many EV certificates exist for subdomains of a company's
main domain.... I suppose not many?<span class="HOEnZb"><font color="#888888"><br>
</font></span></font></p><span class="HOEnZb"><font color="#888888">
<p><font face="Calibri">Adriano</font></p></font></span><div><div class="h5">
<p><font face="Calibri"></font><br>
</p>
<br>
<div class="m_1320822918363162957moz-cite-prefix">Il 17/08/2016 18:56, Kirk Hall ha
scritto:<br>
</div>
<blockquote type="cite">
<div class="m_1320822918363162957WordSection1">
<p class="m_1320822918363162957MsoPlainText">Adriano, I may not be understanding your
original question -- but here is another possible answer.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">If Company A applies for an EV cert for
<a href="http://foo.com" target="_blank">foo.com</a>, the CA will do an EV vetting for the
<u>organization</u> (Company A) and then for the <u>domain</u>
(<a href="http://foo.com" target="_blank">foo.com</a>). Under EVGL 14.2, it looks like Company A can then
ask to be designated as an Enterprise RA - but only for the
confirmed domain <a href="http://foo.com" target="_blank">foo.com</a> -- and then get certs for third level
and higher domains that end in <a href="http://foo.com" target="_blank">foo.com</a>. But Company A has not
proven ownership or control of any other domains, such as
<a href="http://bar.com" target="_blank">bar.com</a>, so is not an Enterprise RA for any other domains.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">Now suppose Company A comes back to the
RA and asks for a cert for <a href="http://bar.com" target="_blank">bar.com</a>. In my opinion, the CA is
not required to re-do EV
<u>organization</u> validation for Company A again -- it can
rely on the earlier EV organization validation (for the full
13 month period), so long as the CA is certain it is really
dealing with Company A. But it must do EV validation of
<a href="http://bar.com" target="_blank">bar.com</a> to prove it is owned or controlled by Company A. Once
that has been done, Company A could ask to be designated as an
Enterprise RA for <a href="http://bar.com" target="_blank">bar.com</a> also. But there is no real
connection between the status of <a href="http://foo.com" target="_blank">foo.com</a> versus <a href="http://bar.com" target="_blank">bar.com</a>, other
than Company A may only have to go through a single EV <u>organization</u>
vetting.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">Is that responsive to your original
question?<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">-----Original Message-----<br>
From: <a class="m_1320822918363162957moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>
[<a class="m_1320822918363162957moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@<wbr>cabforum.org</a>] On Behalf Of Peter Bowen<br>
Sent: Friday, August 5, 2016 9:19 AM<br>
To: Adriano Santoni <a class="m_1320822918363162957moz-txt-link-rfc2396E" href="mailto:adriano.santoni@staff.aruba.it" target="_blank"><adriano.santoni@staff.aruba.<wbr>it></a><br>
Cc: CABFPub <a class="m_1320822918363162957moz-txt-link-rfc2396E" href="mailto:public@cabforum.org" target="_blank"><public@cabforum.org></a><br>
Subject: Re: [cabfpub] EV Guidelines §14.2 delegation of
functions to RAs etc.</p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">I don’t think this is a very high bar.
It would seem the following process would work:<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">1) Customer requests EV Enterprise RA
privileges for <a href="http://example.com" target="_blank">example.com</a>, <a href="http://example.net" target="_blank">example.net</a>, <a href="http://corp.example.org" target="_blank">corp.example.org</a>,
<a href="http://example.biz" target="_blank">example.biz</a>, …<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">2) CA follows EV issuance procedures and
issues a single EV certificate that has all the base domains
in it. This certificate could have a CA-defined critical
extension marking it an “Enterprise RA EV” certificate or some
such to prevent it from being used on a server. I think it
could even have CA-generated key pair where the CA simply
threw away the private key after generation.
<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">3) If the customer wants new domains,
the CA issues a new “Enterprise RA EV” certificate using the
same process. There does not appear to be a requirement that
all domains be in a single certificate, so it could just be
the new domains.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">I think this would meet all the
requirements that are set out.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">Thanks,<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">Peter<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">> On Aug 4, 2016, at 11:58 PM,
Adriano Santoni <<a href="mailto:adriano.santoni@staff.aruba.it" target="_blank"><span style="color:windowtext;text-decoration:none">adriano.santoni@staff.aruba.<wbr>it</span></a>>
wrote:<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Ok,. but what is (was) the ratio
for that constraint?<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Assume the following:<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> 1) A certain company (say "ACME
Corp") owns/controls several 2nd level domains (two or more).<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> 2) That company wants EV
certificates, from a certain CA, for two or more of those
domains, or possibly all of them.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> 3) The same company would like to
be authorized as an Enterprise RA by the said CA.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Now assume that the said CA, first
of all, verifies (with _positive result_) that *all* of those
domains are actually owned/controlled by ACME.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Next, the CA verifies that all
requirements for issuing the first EV certificate (for any one
of those domains) are met, and therefore issues the first EV
certificate.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> At this point, why should ACME not
be allowed to act as an Enterprise RA and thus obtain by
themselves (in compliance with all applicable reqs. for
Enterprise RAs) the desired EV certificates for the remaining
2nd level domains ?
<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> What would be the implied risk of
allowing that?<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Adriano<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Il 04/08/2016 23:24, Ryan Sleevi ha
scritto:<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> You're saying the original
certificate is xxx.example, and the new certificate is for
xxx.example and yyy.example?<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> No, it would not be
appropriate, because yyy.example was not "contained within the
domain of the original EV certificate"<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> On Thu, Aug 4, 2016 at 6:19 AM,
Adriano Santoni <<a href="mailto:adriano.santoni@staff.aruba.it" target="_blank"><span style="color:windowtext;text-decoration:none">adriano.santoni@staff.aruba.<wbr>it</span></a>>
wrote:<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> All,<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> I have a doubt regarding §14.2
of EV guidelines, and particularly §14.2.2 (Enterprise RAs)
that reads:
<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> "The CA MAY contractually
authorize the Subject of a specified Valid EV Certificate to
perform the RA function and authorize the CA to issue
additional EV Certificates at third and higher domain levels
that are contained within the domain of the original EV
Certificate (also known as an Enterprise EV Certificate). In
such case, the Subject SHALL be considered an Enterprise RA,
and the following requirements SHALL apply: ..."<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> Now, let's assume that a
certain company owns/controls two or more domains, say <a href="http://xxx.com" target="_blank">xxx.com</a>
and <a href="http://yyy.net" target="_blank">yyy.net</a>, and that the "original EV Certificate" (quoted
from above) was issued by the CA for any one of those domains
(say <a href="http://xxx.com" target="_blank">xxx.com</a>): under these conditions, would it be okay to
authorize that company to act as an Enterprise RA for the
remaining 2nd-level domains that it owns/controls ?<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> Based on §14.2.2, it seems not.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> Adriano<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>>
______________________________<wbr>_________________<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> Public mailing list<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <a href="mailto:Public@cabforum.org" target="_blank"><span style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <a href="https://cabforum.org/mailman/listinfo/public" target="_blank">
<span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/<wbr>listinfo/public</span></a><u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> -- <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Cordiali saluti,<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Adriano Santoni<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> ACTALIS S.p.A.<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> (Aruba Group)<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">>
______________________________<wbr>_________________<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> Public mailing list<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <a href="mailto:Public@cabforum.org" target="_blank"><span style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">> <a href="https://cabforum.org/mailman/listinfo/public" target="_blank">
<span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/<wbr>listinfo/public</span></a><u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><u></u> <u></u></p>
<p class="m_1320822918363162957MsoPlainText">______________________________<wbr>_________________<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText">Public mailing list<u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><a href="mailto:Public@cabforum.org" target="_blank"><span style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><u></u><u></u></p>
<p class="m_1320822918363162957MsoPlainText"><a href="https://cabforum.org/mailman/listinfo/public" target="_blank"><span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/<wbr>listinfo/public</span></a><u></u><u></u></p>
</div>
</blockquote>
<br>
<div class="m_1320822918363162957moz-signature">-- <br>
<p style="font-family:Serif">
Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</div></div></div>
<br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br></blockquote></div><br></div>