[cabfcert_policy] What is meant by "initial certificate issuance"?

Robin Alden robin at comodo.com
Fri Jul 25 07:27:59 MST 2014 

Hi Ben,

                I don't think there are broadly accepted industry
definitions and I agree that it would be useful to define terms like
that.  

 

In fact I think that another problem is that the justification of the
difference between "initial certificate issuance" and "certificate
renewal" depend on a concept which is not referenced in the CP, namely
the concept of how we assign persistent identifiers to applicants and
how in turn we support the use of that concept and the means we provide
for the applicant to authenticate themselves to the CA in subsequent
requests.

 

One trivial example of this might be that a customer wanting to buy OV
or EV certificates for 3 different sites from the same commercial CA.
There are two ways the customer interaction might go..

1)      The CA could allow the customer to place the three orders
separately and to keep the three orders unconnected on the CA's sales
and certificate processing systems. 
In this case the customer would be asked to provide copies of the
documents demonstrating his identity three times, and might receive
three phone-calls from the CA to setup a reliable means of communication
in each case; or

2)      The CA could encourage the customer to create an 'account'
(which is a commercially understood means to have a persistent identity)
as an initial step and then to order the three certificates on the same
'account'.  The customer might expect to be asked for identity documents
only once, and for the CA to apply that identity information to all
three orders.

The use of the persistent identity in the second case clearly optimises
the multiple purchase process.  

Although the use of a persistent identity is theoretically not required
for PKI, I think in practice it can be argued that it is essential for
straightforward lifecycle management.

 

The concept is useful, although not essential, for renewal, rekey,
reissuance.

 

If we formalize the concept of persistent subscriber identity, then we
should look at the risks inherent to it and set down controls on
acceptable means of authentication of subscribers (account-holders) on
their return visits.  

I think we can certainly imagine controls that would allow inadequate
means of authentication, and hope to avoid them.

At the top end of what is practicable, we could demand that the
subscriber demonstrates control of the private key of the certificate
that the CA has already issued to him for every interaction with the CA,
and perhaps that is over-the-top for many cases, while being what is
required for some other cases (e.g. FBCA renewal).

 

Maybe it's a whole can of worms we don't want to open here and now.

 

And, yes, I think we should be defining what those terms rekey,
reissuance, renewal mean too.

 

Robin

 

From: policyreview-bounces at cabforum.org
[mailto:policyreview-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: 24 July 2014 21:36
To: policyreview at cabforum.org
Subject: [cabfcert_policy] What is meant by "initial certificate
issuance"?

 

The NISTIR document (and other PKI documents) refer to steps taken as
part of "initial certificate issuance" and contrast those with steps
taken during "certificate renewal".  This comes up first in section
3.2.3.1 of the NISTIR 7924.  

 

There are lifecycle states such as re-key, re-issue, etc., which we have
debated but have not fully defined.   If we recommend that "initial
certificate issuance" be defined by NISTIR 7924, what is the definition?
"Initial registration" is also used.  What does that mean, or how is
that different from the former?

 

These terms are used in sections 3.2.3.1, 3.3.1, 3.3.2, 4.6.3, 4.7.3,
and 4.8.1,  and Section 3.2 of RFC 3647 is titled "Initial Identity
Validation".   "Initial identity proofing" is also mentioned in section
4.8.3.

 

This question is also related to draft ballot 123 dealing with
re-validation of information because in section 11.13 of the EVG we talk
about "existing subscribers" and "the age of validated data . before
revalidation is required."

 

Several CABF documents make a distinction between initial proofing and
information that is subsequently used for renewal.  I think we need to
improve our understanding of these things.

 

Thoughts?  Are there any broadly accepted industry definitions we could
use?

Meanwhile, I'll also take a look to see what I can find.

 

Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20140725/458f2aeb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5857 bytes
Desc: not available
Url : https://cabforum.org/pipermail/policyreview/attachments/20140725/458f2aeb/attachment-0001.bin

More information about the Policyreview mailing list