<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On May 19, 2017, at 5:13 PM, Ryan Sleevi <<a href="mailto:sleevi@google.com" class="">sleevi@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div dir="ltr" class=""><br class=""><div class="gmail_extra"><br class=""><div class="gmail_quote">On Fri, May 19, 2017 at 7:52 PM, Peter Bowen <span dir="ltr" class=""><<a href="mailto:pzb@amzn.com" target="_blank" class="">pzb@amzn.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><span class="gmail-"><div class="">There is no reason a CA couldn’t pull public records based on info in CT to help expedite things (for example identifying the company registration number), but the validation still has to happen. You can’t finalize the validation without binding it to a legal entity who will be the applicant/subscriber.  It is possible that this validation could use records pulled by the CA prior to the request for validation.<br class=""></div></span></div></div></blockquote><div class=""><br class=""></div><div class="">And this goes back to the initial question you posed that kicked this all off, namely:</div><div class="">"I think some have suggested that the BRs don’t allow this alternative order of operations, but I’m having a little trouble finding the specific cite.  Do you, Ryan, or does anyone else, think the order of operations described above is not valid?"</div><div class=""><br class=""></div><div class="">To tie this all back together: Section 4.2.1 only permits the reuse of information gathered in context with Section 3.2:</div><div class="">"The<span style="white-space:pre" class="">        </span>CA<span style="white-space:pre" class="">        </span>MAY<span style="white-space:pre" class="">       </span>use<span style="white-space:pre" class="">       </span>the<span style="white-space:pre" class="">       </span>documents<span style="white-space:pre" class=""> </span>and<span style="white-space:pre" class="">       </span>data<span style="white-space:pre" class="">      </span></div><div class="">provided<span style="white-space:pre" class="">        </span>in<span style="white-space:pre" class="">        </span>Section<span style="white-space:pre" class="">   </span>3.2<span style="white-space:pre" class="">       </span>to<span style="white-space:pre" class="">        </span>verify<span style="white-space:pre" class="">    </span>certificate<span style="white-space:pre" class="">       </span>information,<span style="white-space:pre" class="">      </span>provided<span style="white-space:pre" class="">  </span>that<span style="white-space:pre" class="">      </span>the<span style="white-space:pre" class="">       </span>CA<span style="white-space:pre" class="">        </span>obtained<span style="white-space:pre" class="">  </span>the<span style="white-space:pre" class="">       </span>data<span style="white-space:pre" class="">      </span>or<span style="white-space:pre" class="">        </span>document<span style="white-space:pre" class="">  </span></div><div class="">from<span style="white-space:pre" class="">    </span>a<span style="white-space:pre" class=""> </span>source<span style="white-space:pre" class="">    </span>specified<span style="white-space:pre" class=""> </span>under<span style="white-space:pre" class="">     </span>Section<span style="white-space:pre" class="">   </span>3.2<span style="white-space:pre" class="">       </span>no<span style="white-space:pre" class="">        </span>more<span style="white-space:pre" class="">      </span>than<span style="white-space:pre" class="">      </span>thirty‐nine<span style="white-space:pre" class="">     </span>(39)<span style="white-space:pre" class="">      </span>months<span style="white-space:pre" class="">    </span>prior<span style="white-space:pre" class="">     </span>to<span style="white-space:pre" class="">        </span>issuing<span style="white-space:pre" class="">   </span>the<span style="white-space:pre" class="">       </span></div><div class="">Certificate."</div><div class=""><br class=""></div><div class="">Section 3.2 is tied to what the Applicant is requesting in the certificate:</div><div class=""><br class=""></div><div class="">So for there to be information to be reused, it needs to be obtained in the context of an Applicant. </div><div class=""><br class=""></div><div class="">And so the question is whether or not there can be an Applicant prior to a Certificate Request.</div><div class=""><br class=""></div><div class="">Section 1.6.1 establishes the Applicant as: "The<span style="white-space:pre" class=""> </span>natural<span style="white-space:pre" class="">   </span>person<span style="white-space:pre" class="">    </span>or<span style="white-space:pre" class="">        </span>Legal<span style="white-space:pre" class="">     </span>Entity<span style="white-space:pre" class="">    </span>that<span style="white-space:pre" class="">      </span>applies<span style="white-space:pre" class="">   </span>for<span style="white-space:pre" class="">       </span>(or<span style="white-space:pre" class="">       </span>seeks<span style="white-space:pre" class="">     </span>renewal<span style="white-space:pre" class="">   </span>of)<span style="white-space:pre" class="">       </span>a<span style="white-space:pre" class=""> </span>Certificate. Once<span style="white-space:pre" class=""> </span>the<span style="white-space:pre" class="">       </span></div><div class="">Certificate<span style="white-space:pre" class="">     </span>issues,<span style="white-space:pre" class="">   </span>the<span style="white-space:pre" class="">       </span>Applicant<span style="white-space:pre" class=""> </span>is<span style="white-space:pre" class="">        </span>referred<span style="white-space:pre" class="">  </span>to<span style="white-space:pre" class="">        </span>as<span style="white-space:pre" class="">        </span>the<span style="white-space:pre" class="">       </span>Subscriber.<span style="white-space:pre" class="">               </span>For<span style="white-space:pre" class="">       </span>Certificates<span style="white-space:pre" class="">      </span>issued<span style="white-space:pre" class="">    </span>to<span style="white-space:pre" class="">        </span>devices,<span style="white-space:pre" class="">  </span>the<span style="white-space:pre" class="">       </span></div><div class="">Applicant<span style="white-space:pre" class="">       </span>is<span style="white-space:pre" class="">        </span>the<span style="white-space:pre" class="">       </span>entity<span style="white-space:pre" class="">    </span>that<span style="white-space:pre" class="">      </span>controls<span style="white-space:pre" class="">  </span>or<span style="white-space:pre" class="">        </span>operates<span style="white-space:pre" class="">  </span>the<span style="white-space:pre" class="">       </span>device<span style="white-space:pre" class="">    </span>named<span style="white-space:pre" class="">     </span>in<span style="white-space:pre" class="">        </span>the<span style="white-space:pre" class="">       </span>Certificate,<span style="white-space:pre" class="">      </span>even<span style="white-space:pre" class="">      </span>if<span style="white-space:pre" class="">        </span>the<span style="white-space:pre" class="">       </span>device<span style="white-space:pre" class="">    </span>is<span style="white-space:pre" class="">        </span></div><div class="">sending<span style="white-space:pre" class=""> </span>the<span style="white-space:pre" class="">       </span>actual<span style="white-space:pre" class="">    </span>certificate<span style="white-space:pre" class="">       </span>request.<span style="white-space:pre" class="">  </span>"</div><div class=""><br class=""></div><div class="">I'm sure we can get into the game of debating whether 'applies for' is distinct from 'requests' (although I think that's not supported by the text itself, by virtue of the following sentence, but I'm sure we can misread it).</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">You asked if there was a reason to suggest the ordering must be different. My minimal suggestion was that the order must be:</div><div class=""><br class=""></div><div class="">- A Request, which includes the attestation of correctness (per 4.1.2)</div><div class="">- which establishes an Applicant (per 1.6.1)</div><div class="">- which then permits validation of the Applicant information (per 3.2)</div><div class="">- which can then be reused for subsequent Requests (per 4.2.1)</div><div class=""><br class=""></div><div class="">It would seem that you are advocating for an interpretation that establishes:</div><div class="">- An Applicant (by virtue of establishing an Applicant Representative - the party who has signed the Subscriber Agreement on behalf of the Applicant / acknowledges the TOU, per 1.6.1)</div><div class="">- which then permits validation of the Applicant information (per 3.2)</div><div class="">- Which then permits one or more Requests (per 4.1.2)</div><div class="">- Which then allows the validated information to be reused (per 4.2.1), or the reuse of a previously completed validation (per 3.2.2.4)</div><div class=""><br class=""></div><div class="">Is that a correct summary of the difference?</div></div></div></div>
</div></blockquote><br class=""></div><div>There is another way to look at it.  Applicant is a defined term that is basically a pronoun.  It is reasonable to replace the capitalized “Applicant” with a specific natural person or legal entity.  So the 3.2 validations can be performed against a specific legal entity — e.g. Aperture Science, Inc.  Given that completed validations can be reused, it stands that one could validate that Aperture Science, Inc. controls <a href="http://example.com" class="">example.com</a>, then use that later to issue a certificate.  I think you are getting hung up on a concept that the only way to resolve “Applicant” to a specific entity is via the Applicant submitting a certificate request.  I don’t see anything that forbids a CA from validating that a natural person or legal entity controls a domain or exists outside of a request then reusing that to satisfy a future future validation request.</div><div><br class=""></div><div>Thanks,</div><div>Peter</div></body></html>