<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">Kirk,</font></p>
<p><font face="Calibri">thank you for your contribute. <br>
</font></p>
<p><font face="Calibri">If the "correct interpretation" of the EVGL
is actually the one you give below, than it makes sense. <br>
</font></p>
<p><font face="Calibri">But I see that even you are expressing some
uncertanty (</font><font face="Calibri"><font face="Calibri">"looks
like"... "in my opinion" </font>...) so I really would like
to understand whether your interpretation is shared by most CA
members, as I hope. <br>
</font></p>
<p><font face="Calibri">If your intepretation is correct, I think
that the EVGLs are worth improving, for better clarity.<br>
</font></p>
<p><font face="Calibri">On the other hand, the notion that an
Enterprise RA can only authorize issuance of EV certs for
sub-domains seems weird to me. <br>
I wonder how many EV certificates exist for subdomains of a company's
main domain.... I suppose not many?<br>
</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"></font><br>
</p>
<br>
<div class="moz-cite-prefix">Il 17/08/2016 18:56, Kirk Hall ha
scritto:<br>
</div>
<blockquote
cite="mid:2b898b1b21f64ae29f986c46360c8bff@PMSPEX04.corporate.datacard.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoPlainText">Adriano, I may not be understanding your
original question -- but here is another possible answer.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">If Company A applies for an EV cert for
foo.com, the CA will do an EV vetting for the
<u>organization</u> (Company A) and then for the <u>domain</u>
(foo.com). Under EVGL 14.2, it looks like Company A can then
ask to be designated as an Enterprise RA - but only for the
confirmed domain foo.com -- and then get certs for third level
and higher domains that end in foo.com. But Company A has not
proven ownership or control of any other domains, such as
bar.com, so is not an Enterprise RA for any other domains.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Now suppose Company A comes back to the
RA and asks for a cert for bar.com. In my opinion, the CA is
not required to re-do EV
<u>organization</u> validation for Company A again -- it can
rely on the earlier EV organization validation (for the full
13 month period), so long as the CA is certain it is really
dealing with Company A. But it must do EV validation of
bar.com to prove it is owned or controlled by Company A. Once
that has been done, Company A could ask to be designated as an
Enterprise RA for bar.com also. But there is no real
connection between the status of foo.com versus bar.com, other
than Company A may only have to go through a single EV <u>organization</u>
vetting.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Is that responsive to your original
question?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] On Behalf Of Peter Bowen<br>
Sent: Friday, August 5, 2016 9:19 AM<br>
To: Adriano Santoni <a class="moz-txt-link-rfc2396E" href="mailto:adriano.santoni@staff.aruba.it"><adriano.santoni@staff.aruba.it></a><br>
Cc: CABFPub <a class="moz-txt-link-rfc2396E" href="mailto:public@cabforum.org"><public@cabforum.org></a><br>
Subject: Re: [cabfpub] EV Guidelines §14.2 delegation of
functions to RAs etc.</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I don’t think this is a very high bar.
It would seem the following process would work:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">1) Customer requests EV Enterprise RA
privileges for example.com, example.net, corp.example.org,
example.biz, …<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">2) CA follows EV issuance procedures and
issues a single EV certificate that has all the base domains
in it. This certificate could have a CA-defined critical
extension marking it an “Enterprise RA EV” certificate or some
such to prevent it from being used on a server. I think it
could even have CA-generated key pair where the CA simply
threw away the private key after generation.
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">3) If the customer wants new domains,
the CA issues a new “Enterprise RA EV” certificate using the
same process. There does not appear to be a requirement that
all domains be in a single certificate, so it could just be
the new domains.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I think this would meet all the
requirements that are set out.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks,<o:p></o:p></p>
<p class="MsoPlainText">Peter<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> On Aug 4, 2016, at 11:58 PM,
Adriano Santoni <<a moz-do-not-send="true"
href="mailto:adriano.santoni@staff.aruba.it"><span
style="color:windowtext;text-decoration:none">adriano.santoni@staff.aruba.it</span></a>>
wrote:<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Ok,. but what is (was) the ratio
for that constraint?<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Assume the following:<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> 1) A certain company (say "ACME
Corp") owns/controls several 2nd level domains (two or more).<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> 2) That company wants EV
certificates, from a certain CA, for two or more of those
domains, or possibly all of them.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> 3) The same company would like to
be authorized as an Enterprise RA by the said CA.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Now assume that the said CA, first
of all, verifies (with _positive result_) that *all* of those
domains are actually owned/controlled by ACME.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Next, the CA verifies that all
requirements for issuing the first EV certificate (for any one
of those domains) are met, and therefore issues the first EV
certificate.<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> At this point, why should ACME not
be allowed to act as an Enterprise RA and thus obtain by
themselves (in compliance with all applicable reqs. for
Enterprise RAs) the desired EV certificates for the remaining
2nd level domains ?
<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> What would be the implied risk of
allowing that?<o:p></o:p></p>
<p class="MsoPlainText">> Adriano<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Il 04/08/2016 23:24, Ryan Sleevi ha
scritto:<o:p></o:p></p>
<p class="MsoPlainText">>> You're saying the original
certificate is xxx.example, and the new certificate is for
xxx.example and yyy.example?<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> No, it would not be
appropriate, because yyy.example was not "contained within the
domain of the original EV certificate"<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> On Thu, Aug 4, 2016 at 6:19 AM,
Adriano Santoni <<a moz-do-not-send="true"
href="mailto:adriano.santoni@staff.aruba.it"><span
style="color:windowtext;text-decoration:none">adriano.santoni@staff.aruba.it</span></a>>
wrote:<o:p></o:p></p>
<p class="MsoPlainText">>> All,<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> I have a doubt regarding §14.2
of EV guidelines, and particularly §14.2.2 (Enterprise RAs)
that reads:
<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> "The CA MAY contractually
authorize the Subject of a specified Valid EV Certificate to
perform the RA function and authorize the CA to issue
additional EV Certificates at third and higher domain levels
that are contained within the domain of the original EV
Certificate (also known as an Enterprise EV Certificate). In
such case, the Subject SHALL be considered an Enterprise RA,
and the following requirements SHALL apply: ..."<o:p></o:p></p>
<p class="MsoPlainText">>> Now, let's assume that a
certain company owns/controls two or more domains, say xxx.com
and yyy.net, and that the "original EV Certificate" (quoted
from above) was issued by the CA for any one of those domains
(say xxx.com): under these conditions, would it be okay to
authorize that company to act as an Enterprise RA for the
remaining 2nd-level domains that it owns/controls ?<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> Based on §14.2.2, it seems not.<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> Adriano<o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>>
_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">>> Public mailing list<o:p></o:p></p>
<p class="MsoPlainText">>> <a moz-do-not-send="true"
href="mailto:Public@cabforum.org"><span
style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><o:p></o:p></p>
<p class="MsoPlainText">>> <a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public">
<span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">>> <o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> -- <o:p></o:p></p>
<p class="MsoPlainText">> Cordiali saluti,<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">> Adriano Santoni<o:p></o:p></p>
<p class="MsoPlainText">> ACTALIS S.p.A.<o:p></o:p></p>
<p class="MsoPlainText">> (Aruba Group)<o:p></o:p></p>
<p class="MsoPlainText">> <o:p></o:p></p>
<p class="MsoPlainText">>
_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">> Public mailing list<o:p></o:p></p>
<p class="MsoPlainText">> <a moz-do-not-send="true"
href="mailto:Public@cabforum.org"><span
style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public">
<span style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">Public mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a moz-do-not-send="true"
href="mailto:Public@cabforum.org"><span
style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"><span
style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/listinfo/public</span></a><o:p></o:p></p>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif">
Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</body>
</html>