<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">Ryan,</font></p>
<p><font face="Calibri">It just seems to me - but maybe I am wrong -
that the current text is not sufficiently clear. <br>
</font></p>
<font face="Calibri">Generally speaking, I find that §14.2 is not
clear enough as to what en Enterprise RA can do and what they
cannot do, within the overall EV certificate request, validation
and issuance procedure.<br>
</font>
<p><font face="Calibri">My understanding is the following:</font></p>
<p><font face="Calibri">1) An Enterprise RA can request and obtain
certificates in full autonomy and with one person only, through
interaction with the CA services, _limited to those domains they
own or control_. <br>
</font></p>
<p><font face="Calibri">Here, "</font><font face="Calibri"><font
face="Calibri">in full autonomy</font>" follows from §14.2.1
("The CA MAY delegate the performance of all or any part of a
requirement of these Guidelines to an Affiliate or a
Registration Authority (RA) ...") and "with one person only"
follows from §14.2.2 point 4 ("The Final Cross-Correlation and
Due Diligence requirements of Section 11.13 of these Guidelines
MAY be performed by a single person representing the Enterprise
RA;").<br>
</font></p>
<p><font face="Calibri">2) However, the above possibility is only
allowed after the subject organization, to be enabled as an </font><font
face="Calibri">Enterprise RA, has been issued at least one EV
certificate (so-called "original EV certificate") directly by
the CA. <br>
</font></p>
<p><font face="Calibri">Do I understand correctly?</font><font
face="Calibri"> If so, this implies that - if a subject
organization is already enabled as an </font><font
face="Calibri">Enterprise RA for OV certs at the time when they
ask for their first EV cert - they cannot (be allowed to)
leverage their </font><font face="Calibri">enablement as an </font><font
face="Calibri">Enterprise RA in order to obtain their first EV
cert. In other words, the </font><font face="Calibri"><font
face="Calibri">Enterprise RA must not be involved in the
procedure for request/validation/issuance of the </font></font><font
face="Calibri"><font face="Calibri"><font face="Calibri">"original
EV certificate"</font>. </font>Is this what's really meant
by the EVGLs ?</font></p>
<p><font face="Calibri">3) At any rate, even under the conditions
above, once a subject </font><font face="Calibri">organization
has been enabled as an </font><font face="Calibri">Enterprise
RA for EV cert, they can only obtain EV certs for sub-domains of
the SLDN contained in their first EV certficate. <br>
</font></p>
<p><font face="Calibri">Why so? Why cannot the </font><font
face="Calibri">Enterprise RA, at this point, obtain further EV
certs for just any domain (esp. SLDN) they own or control? But
if this is actually allowed, than it's certainly not clear in
the EVGLs. </font></p>
Adriano<br>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 24/08/2016 18:59, Ryan Sleevi ha
scritto:<br>
</div>
<blockquote
cite="mid:CACvaWvZnQBoN1-xg64rhx_wMAgGHdRzV92SO_4ajTxnsxfD9Xg@mail.gmail.com"
type="cite">
<div dir="ltr">Adriano,
<div><br>
</div>
<div>It might be useful if you could explain more why you
believe the text disagrees with Kirk, Peter and I. The goal is
not to leave these things up to interpretation, and so if you
believe a plain reading of the text supports an alternative
understanding different from what we said, understanding why
you believe that will be quite important.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 24, 2016 at 2:44 AM,
Adriano Santoni <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank">adriano.santoni@staff.aruba.it</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">Kirk,</font></p>
<p><font face="Calibri">thank you for your contribute. <br>
</font></p>
<p><font face="Calibri">If the "correct interpretation" of
the EVGL is actually the one you give below, than it
makes sense. <br>
</font></p>
<p><font face="Calibri">But I see that even you are
expressing some uncertanty (</font><font
face="Calibri"><font face="Calibri">"looks like"...
"in my opinion" </font>...) so I really would like
to understand whether your interpretation is shared by
most CA members, as I hope. <br>
</font></p>
<p><font face="Calibri">If your intepretation is correct,
I think that the EVGLs are worth improving, for better
clarity.<br>
</font></p>
<p><font face="Calibri">On the other hand, the notion that
an Enterprise RA can only authorize issuance of EV
certs for sub-domains seems weird to me. <br>
I wonder how many EV certificates exist for subdomains
of a company's main domain.... I suppose not many?<span
class="HOEnZb"><font color="#888888"><br>
</font></span></font></p>
<span class="HOEnZb"><font color="#888888">
<p><font face="Calibri">Adriano</font></p>
</font></span>
<div>
<div class="h5">
<p><br>
</p>
<br>
<div class="m_1320822918363162957moz-cite-prefix">Il
17/08/2016 18:56, Kirk Hall ha scritto:<br>
</div>
<blockquote type="cite">
<div class="m_1320822918363162957WordSection1">
<p class="m_1320822918363162957MsoPlainText">Adriano,
I may not be understanding your original
question -- but here is another possible answer.</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">If
Company A applies for an EV cert for <a
moz-do-not-send="true" href="http://foo.com"
target="_blank">foo.com</a>, the CA will do an
EV vetting for the <u>organization</u> (Company
A) and then for the <u>domain</u> (<a
moz-do-not-send="true" href="http://foo.com"
target="_blank">foo.com</a>). Under EVGL
14.2, it looks like Company A can then ask to be
designated as an Enterprise RA - but only for
the confirmed domain <a moz-do-not-send="true"
href="http://foo.com" target="_blank">foo.com</a>
-- and then get certs for third level and higher
domains that end in <a moz-do-not-send="true"
href="http://foo.com" target="_blank">foo.com</a>.
But Company A has not proven ownership or
control of any other domains, such as <a
moz-do-not-send="true" href="http://bar.com"
target="_blank">bar.com</a>, so is not an
Enterprise RA for any other domains.</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">Now
suppose Company A comes back to the RA and asks
for a cert for <a moz-do-not-send="true"
href="http://bar.com" target="_blank">bar.com</a>.
In my opinion, the CA is not required to re-do
EV <u>organization</u> validation for Company A
again -- it can rely on the earlier EV
organization validation (for the full 13 month
period), so long as the CA is certain it is
really dealing with Company A. But it must do
EV validation of <a moz-do-not-send="true"
href="http://bar.com" target="_blank">bar.com</a>
to prove it is owned or controlled by Company
A. Once that has been done, Company A could ask
to be designated as an Enterprise RA for <a
moz-do-not-send="true" href="http://bar.com"
target="_blank">bar.com</a> also. But there
is no real connection between the status of <a
moz-do-not-send="true" href="http://foo.com"
target="_blank">foo.com</a> versus <a
moz-do-not-send="true" href="http://bar.com"
target="_blank">bar.com</a>, other than
Company A may only have to go through a single
EV <u>organization</u> vetting.</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">Is
that responsive to your original question?</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">-----Original
Message-----<br>
From: <a moz-do-not-send="true"
class="m_1320822918363162957moz-txt-link-abbreviated"
href="mailto:public-bounces@cabforum.org"
target="_blank">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
class="m_1320822918363162957moz-txt-link-freetext"
href="mailto:public-bounces@cabforum.org"
target="_blank">mailto:public-bounces@<wbr>cabforum.org</a>]
On Behalf Of Peter Bowen<br>
Sent: Friday, August 5, 2016 9:19 AM<br>
To: Adriano Santoni <a moz-do-not-send="true"
class="m_1320822918363162957moz-txt-link-rfc2396E"
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank"><adriano.santoni@staff.aruba.<wbr>it></a><br>
Cc: CABFPub <a moz-do-not-send="true"
class="m_1320822918363162957moz-txt-link-rfc2396E"
href="mailto:public@cabforum.org"
target="_blank"><public@cabforum.org></a><br>
Subject: Re: [cabfpub] EV Guidelines §14.2
delegation of functions to RAs etc.</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">I
don’t think this is a very high bar. It would
seem the following process would work:</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">1)
Customer requests EV Enterprise RA privileges
for <a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>,
<a moz-do-not-send="true"
href="http://example.net" target="_blank">example.net</a>,
<a moz-do-not-send="true"
href="http://corp.example.org" target="_blank">corp.example.org</a>,
<a moz-do-not-send="true"
href="http://example.biz" target="_blank">example.biz</a>,
…</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">2) CA
follows EV issuance procedures and issues a
single EV certificate that has all the base
domains in it. This certificate could have a
CA-defined critical extension marking it an
“Enterprise RA EV” certificate or some such to
prevent it from being used on a server. I think
it could even have CA-generated key pair where
the CA simply threw away the private key after
generation. </p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">3) If
the customer wants new domains, the CA issues a
new “Enterprise RA EV” certificate using the
same process. There does not appear to be a
requirement that all domains be in a single
certificate, so it could just be the new
domains.</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">I
think this would meet all the requirements that
are set out.</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">Thanks,</p>
<p class="m_1320822918363162957MsoPlainText">Peter</p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">>
On Aug 4, 2016, at 11:58 PM, Adriano Santoni
<<a moz-do-not-send="true"
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank"><span
style="color:windowtext;text-decoration:none">adriano.santoni@staff.aruba.<wbr>it</span></a>>
wrote:</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
Ok,. but what is (was) the ratio for that
constraint?</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
Assume the following:</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
1) A certain company (say "ACME Corp")
owns/controls several 2nd level domains (two or
more).</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
2) That company wants EV certificates, from a
certain CA, for two or more of those domains, or
possibly all of them.</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
3) The same company would like to be authorized
as an Enterprise RA by the said CA.</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
Now assume that the said CA, first of all,
verifies (with _positive result_) that *all* of
those domains are actually owned/controlled by
ACME.</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
Next, the CA verifies that all requirements for
issuing the first EV certificate (for any one of
those domains) are met, and therefore issues the
first EV certificate.</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
At this point, why should ACME not be allowed to
act as an Enterprise RA and thus obtain by
themselves (in compliance with all applicable
reqs. for Enterprise RAs) the desired EV
certificates for the remaining 2nd level domains
? </p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
What would be the implied risk of allowing that?</p>
<p class="m_1320822918363162957MsoPlainText">>
Adriano</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
Il 04/08/2016 23:24, Ryan Sleevi ha scritto:</p>
<p class="m_1320822918363162957MsoPlainText">>>
You're saying the original certificate is
xxx.example, and the new certificate is for
xxx.example and yyy.example?</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
No, it would not be appropriate, because
yyy.example was not "contained within the domain
of the original EV certificate"</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
On Thu, Aug 4, 2016 at 6:19 AM, Adriano Santoni
<<a moz-do-not-send="true"
href="mailto:adriano.santoni@staff.aruba.it"
target="_blank"><span
style="color:windowtext;text-decoration:none">adriano.santoni@staff.aruba.<wbr>it</span></a>>
wrote:</p>
<p class="m_1320822918363162957MsoPlainText">>>
All,</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
I have a doubt regarding §14.2 of EV guidelines,
and particularly §14.2.2 (Enterprise RAs) that
reads: </p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
"The CA MAY contractually authorize the Subject
of a specified Valid EV Certificate to perform
the RA function and authorize the CA to issue
additional EV Certificates at third and higher
domain levels that are contained within the
domain of the original EV Certificate (also
known as an Enterprise EV Certificate). In such
case, the Subject SHALL be considered an
Enterprise RA, and the following requirements
SHALL apply: ..."</p>
<p class="m_1320822918363162957MsoPlainText">>>
Now, let's assume that a certain company
owns/controls two or more domains, say <a
moz-do-not-send="true" href="http://xxx.com"
target="_blank">xxx.com</a> and <a
moz-do-not-send="true" href="http://yyy.net"
target="_blank">yyy.net</a>, and that the
"original EV Certificate" (quoted from above)
was issued by the CA for any one of those
domains (say <a moz-do-not-send="true"
href="http://xxx.com" target="_blank">xxx.com</a>):
under these conditions, would it be okay to
authorize that company to act as an Enterprise
RA for the remaining 2nd-level domains that it
owns/controls ?</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
Based on §14.2.2, it seems not.</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
Adriano</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
______________________________<wbr>_________________</p>
<p class="m_1320822918363162957MsoPlainText">>>
Public mailing list</p>
<p class="m_1320822918363162957MsoPlainText">>>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank"><span
style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a></p>
<p class="m_1320822918363162957MsoPlainText">>>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank"> <span
style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/<wbr>listinfo/public</span></a></p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>>
</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
-- </p>
<p class="m_1320822918363162957MsoPlainText">>
Cordiali saluti,</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
Adriano Santoni</p>
<p class="m_1320822918363162957MsoPlainText">>
ACTALIS S.p.A.</p>
<p class="m_1320822918363162957MsoPlainText">>
(Aruba Group)</p>
<p class="m_1320822918363162957MsoPlainText">>
</p>
<p class="m_1320822918363162957MsoPlainText">>
______________________________<wbr>_________________</p>
<p class="m_1320822918363162957MsoPlainText">>
Public mailing list</p>
<p class="m_1320822918363162957MsoPlainText">>
<a moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank"><span
style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a></p>
<p class="m_1320822918363162957MsoPlainText">>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank"> <span
style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/<wbr>listinfo/public</span></a></p>
<p class="m_1320822918363162957MsoPlainText"> </p>
<p class="m_1320822918363162957MsoPlainText">______________________________<wbr>_________________</p>
<p class="m_1320822918363162957MsoPlainText">Public
mailing list</p>
<p class="m_1320822918363162957MsoPlainText"><a
moz-do-not-send="true"
href="mailto:Public@cabforum.org"
target="_blank"><span
style="color:windowtext;text-decoration:none">Public@cabforum.org</span></a></p>
<p class="m_1320822918363162957MsoPlainText"><a
moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
target="_blank"><span
style="color:windowtext;text-decoration:none">https://cabforum.org/mailman/<wbr>listinfo/public</span></a></p>
</div>
</blockquote>
<br>
<div class="m_1320822918363162957moz-signature">-- <br>
<p style="font-family:Serif"> Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a moz-do-not-send="true"
href="https://cabforum.org/mailman/listinfo/public"
rel="noreferrer" target="_blank">https://cabforum.org/mailman/<wbr>listinfo/public</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<p style="font-family: Serif">
Cordiali saluti,<br>
<br>
Adriano Santoni<br>
ACTALIS S.p.A.<br>
(Aruba Group)</p>
</div>
</body>
</html>