[cabf_validation] Further discussion on improvements for automation in the context of EV certificates

Mads Egil Henriksveen Mads.Henriksveen at buypass.no
Mon Feb 12 15:23:23 UTC 2024 

Hi Doug, Eva and Christophe

Thank you for this proposal!

This removes what we have considered to be obstacles for automating the issuance of EV certificates. We have found such obstacles in section 11.13, 14.1.3 and 16 - which (at least) indicates that two persons or validations specialist must be involved in the processing and approval of each certificate requests on the CA side before issuance. The current language clarifies that this is not required so this addresses our main concerns.

However, I have a few comments and questions for other (sub)topics.

In the new text in 11.13 2) and 3) Due Diligence and Cross-Correlation is described in a way that clarifies those terms, thanks. Verification of domain names are out of scope for Due Diligence, but only if this is performed in an automated manner. Verification of domain names are out of scope for Cross-Correlation, independent on being performed in an automated manner. Is this done deliberately?

I also find current text in section 11.7 Verification of Applicant's Domain Name that should be changed. Section 11.7.1 1) includes text that indicates that method 1 is still allowed (..the CA SHALL confirm that the Applicant either is the domain name registrant or has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements...). The use of Onion domain names is covered both in Section 11.7.1 and BR 3.2.2.4 so perhaps the text in Section 11.7.1 1) could be changed to:
For each Fully-Qualified Domain Name listed in a Certificate, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant (or the Applicant's Parent Company, Subsidiary Company, or Affiliate, collectively referred to as "Applicant" for the purposes of this section) has control over the FQDN using a procedure specified in Section 3.2.2.4 of the Baseline Requirements.
This might be out of scope for what's covered in your proposal, but it would be nice to fix this also.

The last paragraph in Section 11.14 (moved from 11.14.3) includes a statement about reusing previously submitted data in support of multiple EV Certificate containing the "same Subject". Does this also include Domain Names in Subject Alternative Names? I.e. would a reuse of Due Diligence and Cross-Correlation require that the same Domain Names must be used for all EV certificates?

In Section 14.1.3 the text includes:
For example, one Validation Specialist collects all Applicant information and a second Validation Specialist performs Due Diligence and Cross-Correlation.
We consider that the activities of the first Validation Specialist should focus on (initial) verification processes rather than collecting Applicant information.

The main issue addressed in these comments is the separation of verification of all information related to the Subscriber/Subject (identity) and the verification of Domain Names. I fully understand that in the context of automation of domain control validation this separation might be important, but it's hard to understand the consequences of such a change.

Regards
Mads


From: Validation <validation-bounces at cabforum.org> On Behalf Of Doug Beattie via Validation
Sent: Thursday, January 25, 2024 12:56 PM
To: validation at cabforum.org
Subject: Re: [cabf_validation] Further discussion on improvements for automation in the context of EV certificates

I'm resending this because it may not gave gone though when Eva sent it.

Doug

From: Eva Van Steenberge <eva.vansteenberge at globalsign.com<mailto:eva.vansteenberge at globalsign.com>>
Sent: Thursday, January 25, 2024 4:41 AM
To: validation at cabforum.org<mailto:validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>>; Christophe Bonjean <christophe.bonjean at globalsign.com<mailto:christophe.bonjean at globalsign.com>>
Subject: Further discussion on improvements for automation in the context of EV certificates

Hello all

We made some amendments to our proposed text here: https://github.com/cabforum/servercert/compare/main...chrisbn:servercert:improve-evg-automation-issue-467

We have a short presentation prepared to summarize what has changed, explain the rationale behind these updates and to seek further feedback from this forum. Looking forward to the discussion!

Kind regards,

[cid:image001.gif at 01DA5DBE.75785240]

Eva VAN STEENBERGE (She/Her)
Senior Compliance officer
[Receiver with solid fill]  +441622766748
[Email with solid fill]  eva.vansteenberge at globalsign.com<mailto:eva.vansteenberge at globalsign.com>
[Cursor with solid fill]  www.globalsign.com<https://www.globalsign.com/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240212/a692e467/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 115519 bytes
Desc: image001.gif
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240212/a692e467/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 706 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240212/a692e467/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 992 bytes
Desc: image003.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240212/a692e467/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 567 bytes
Desc: image004.png
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20240212/a692e467/attachment-0005.png>

More information about the Validation mailing list