<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 19, 2017 at 7:48 PM, Geoff Keating <span dir="ltr"><<a href="mailto:geoffk@apple.com" target="_blank">geoffk@apple.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><br><div><blockquote type="cite"><span class="gmail-"><div>On 19 May 2017, at 3:43 pm, Ryan Sleevi <<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>> wrote:</div><br class="gmail-m_-7468459239884938061Apple-interchange-newline"></span><div><div dir="ltr"><span class="gmail-">How does that fit with the quoted Section 4.1.2?<div><br></div></span><div>"The<span style="white-space:pre-wrap"> </span>certificate<span style="white-space:pre-wrap"> </span>request MUST contain a request from, or on behalf of, the Applicant for the issuance of a Certificate, and a certification by, or on behalf of, the Applicant that all of the information contained therein is correct.”</div></div></div></blockquote><div><br></div><div>4.1.2 starts with “Prior to the issuance of a Certificate”. So, at some point before the certificate issues, 4.1.2 needs to be satisfied. There’s no ordering between that and the validation requirements in the BRs.</div></div></div></blockquote><div><br></div><div>Section 1.6.1</div><div><br></div><div><div>Applicant:<span style="white-space:pre"> </span>The<span style="white-space:pre"> </span>natural<span style="white-space:pre"> </span>person<span style="white-space:pre"> </span>or<span style="white-space:pre"> </span>Legal<span style="white-space:pre"> </span>Entity<span style="white-space:pre"> </span>that<span style="white-space:pre"> </span>applies<span style="white-space:pre"> </span>for<span style="white-space:pre"> </span>(or<span style="white-space:pre"> </span>seeks<span style="white-space:pre"> </span>renewal<span style="white-space:pre"> </span>of)<span style="white-space:pre"> </span>a<span style="white-space:pre"> </span>Certificate.<span style="white-space:pre"> </span>Once<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span></div><div>Certificate<span style="white-space:pre"> </span>issues,<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant<span style="white-space:pre"> </span>is<span style="white-space:pre"> </span>referred<span style="white-space:pre"> </span>to<span style="white-space:pre"> </span>as<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Subscriber.<span style="white-space:pre"> </span>For<span style="white-space:pre"> </span>Certificates<span style="white-space:pre"> </span>issued<span style="white-space:pre"> </span>to<span style="white-space:pre"> </span>devices,<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span></div><div>Applicant<span style="white-space:pre"> </span>is<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>entity<span style="white-space:pre"> </span>that<span style="white-space:pre"> </span>controls<span style="white-space:pre"> </span>or<span style="white-space:pre"> </span>operates<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>device<span style="white-space:pre"> </span>named<span style="white-space:pre"> </span>in<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Certificate,<span style="white-space:pre"> </span>even<span style="white-space:pre"> </span>if<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>device<span style="white-space:pre"> </span>is<span style="white-space:pre"> </span></div><div>sending<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>actual<span style="white-space:pre"> </span>certificate<span style="white-space:pre"> </span>request.<span style="white-space:pre"> </span></div></div><div><br></div><div><div>Applicant Representative:<span style="white-space:pre"> </span>A<span style="white-space:pre"> </span>natural<span style="white-space:pre"> </span>person<span style="white-space:pre"> </span>or<span style="white-space:pre"> </span>human<span style="white-space:pre"> </span>sponsor<span style="white-space:pre"> </span>who<span style="white-space:pre"> </span>is<span style="white-space:pre"> </span>either<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant,<span style="white-space:pre"> </span>employed<span style="white-space:pre"> </span>by<span style="white-space:pre"> </span></div><div>the<span style="white-space:pre"> </span>Applicant,<span style="white-space:pre"> </span>or<span style="white-space:pre"> </span>an<span style="white-space:pre"> </span>authorized<span style="white-space:pre"> </span>agent<span style="white-space:pre"> </span>who<span style="white-space:pre"> </span>has<span style="white-space:pre"> </span>express<span style="white-space:pre"> </span>authority<span style="white-space:pre"> </span>to<span style="white-space:pre"> </span>represent<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant:<span style="white-space:pre"> </span>(i)<span style="white-space:pre"> </span>who<span style="white-space:pre"> </span>signs<span style="white-space:pre"> </span>and<span style="white-space:pre"> </span></div><div>submits,<span style="white-space:pre"> </span>or<span style="white-space:pre"> </span>approves<span style="white-space:pre"> </span>a<span style="white-space:pre"> </span>certificate<span style="white-space:pre"> </span>request<span style="white-space:pre"> </span>on<span style="white-space:pre"> </span>behalf<span style="white-space:pre"> </span>of<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant,<span style="white-space:pre"> </span>and/or<span style="white-space:pre"> </span>(ii)<span style="white-space:pre"> </span>who<span style="white-space:pre"> </span>signs<span style="white-space:pre"> </span>and<span style="white-space:pre"> </span>submits<span style="white-space:pre"> </span>a<span style="white-space:pre"> </span></div><div>Subscriber<span style="white-space:pre"> </span>Agreement<span style="white-space:pre"> </span>on<span style="white-space:pre"> </span>behalf<span style="white-space:pre"> </span>of<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant,<span style="white-space:pre"> </span>and/or<span style="white-space:pre"> </span>(iii)<span style="white-space:pre"> </span>who<span style="white-space:pre"> </span>acknowledges<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Terms<span style="white-space:pre"> </span>of<span style="white-space:pre"> </span>Use<span style="white-space:pre"> </span>on<span style="white-space:pre"> </span>behalf<span style="white-space:pre"> </span></div><div>of<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant<span style="white-space:pre"> </span>when<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>Applicant<span style="white-space:pre"> </span>is<span style="white-space:pre"> </span>an<span style="white-space:pre"> </span>Affiliate<span style="white-space:pre"> </span>of<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>CA<span style="white-space:pre"> </span>or<span style="white-space:pre"> </span>is<span style="white-space:pre"> </span>the<span style="white-space:pre"> </span>CA.<span style="white-space:pre"> </span></div></div><div><br></div><div>Certificate Data: Certificate requests and data related thereto (whether obtained from the Applicant or
otherwise) in the CA’s possession or control or to which the CA has access. <br></div><div><br></div><div>Within the context of domain validation, Section 3.2.2.4, all of the means of validating are stated in the context of the request. Except for 3.2.2.4.11 (... of course).</div><div><br></div><div>Within the context of IV, Section 3.2.3 is gated on a request.</div><div>Within the context of OV, Section 3.2.5 is gated on a request.</div><div><br></div><div>Further, within that quoted section, as I replied to Ben, while I agree that the totality of information gathered in 4.1.2 can happen asynchronously, I am suggesting that the definition in 4.1.2 constitutes the minimum information necessary for a request - namely, the information to be added and an attestation that said information is correct. The CA is permitted to add additional information (c.f. Section 4.2.1), but there's some initial aspect that constitutes "a request", and represents an immutable set due to the conjunctive requirements.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><span class="gmail-"><blockquote type="cite"><div><div dir="ltr"><div>1) If there is no certificate request, is there an Applicant at the time the CA begins validating information?</div></div></div></blockquote><div><br></div></span><div>A validation is only relevant to the BRs if it leads to a certificate issuance. A certificate issuance must only occur after a certificate request which implies the existence of an Applicant to get the certificate request from. So, yes, there must have been an Applicant. The CA may not have known who.</div></div></div></blockquote><div><br></div><div>I don't think there's been any disagreement about that - but rather, whether or not 'pregathering' of unknown data is permitted.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><span class="gmail-"><blockquote type="cite"><div><div dir="ltr"><div>2) If there is no certificate request, and/or there is no Applicant, how is the information the CA validated conforming with Section 3.2, which Section 4.2.1 references?</div></div></div></blockquote><div><br></div></span><div>There is always an Applicant and there must be a certificate request, see above.</div></div></div></blockquote><div><br></div><div>But at the time the CA is validating the information, there is no Applicant or Request, as per the original message.</div><div><br></div></div></div></div>