[cabfpub] BR Enterprise RAs

Ryan Sleevi sleevi at google.com
Fri Jan 17 13:26:49 MST 2014


Hi Rich,

While I agree with the conclusion reached by Rob, I'm a little confused how
changing the definition of 14.2.4 accomplishes the desired result.

That is, you removed the reference to 7.1.2 (although I'm uncertain why
there reference is only to para 1, and not 7.1.2 in its entirety), but
Section 11.1.1 would/should still apply.

Have I missed something with your proposed change? Is the belief that the
Enterprise RA can perform the authorization checks from 11.1 on behalf of
the CA with the new wording?

The potential problem I see here is that it would seem to open the
following loophole:
- CA verifies Enterprise RA is authorized for foo.example (eg: via DNS)
with a 5 year registration at Time X
- At time X+59 months, Enterprise RA directs CA to issue a certificate for
www.foo.example, with a 60 month validity (per 9.4.1)
- Effective certificate lifetime is 119 months

I see Section 11.1.1 and Section 14.2.4 as trying to 'defend' against this.
Of course, they may be doing so poorly (by not checking the authorization
duration for the domain), but at least that strikes at the intent.

I do agree that we should try to bring the EVGs and BRs into alignment (to
the degree appropriate), by permitting Enterprise RAs to perform acts on
behalf of the CA, provided that all FQDNs fall within the scope of the RA's
verified Domain Namespace.



On Fri, Jan 17, 2014 at 12:06 PM, Rich Smith <richard.smith at comodo.com>wrote:

> Ryan,
>
> As the result of an internal discussion regarding Enterprise RA domain
> control verification we have determined that the current wording of the BRs
> requires the CA to verify domain control on each and every certificate
> request by the enterprise.  My initial opinion was that Section 11.3 would
> allow an Enterprise to obtain certificates in their verified Domain
> Namespace for up to 39 months, however Rob pointed out that Section 11.1.1
> says:
>
>    "the CA SHALL confirm that, _as of the date the Certificate was
>
>     issued_, the Applicant either is the Domain Name Registrant or has
>
>     control over the FQDN".
>
> Rob's opinion is that "as of the date the Certificate was issued" has to
> mean something, and to interpret Section 11.3's "39 months" as overriding
> Section 11.1.1 would render it meaningless.
>
>
>
> I consider his reasoning sound, but I don't think that was the intent,
> especially as it would make the BRs more strict in this regard than the EV
> Guidelines, so that is what this motion is intended to address.  If
> everyone else is of the opinion that 11.3 is sufficient (and I do think
> that quite a few CAs are operating under that assumption) then we can leave
> it alone and move on, but I think the current wording in various sections
> leaves the issue open to interpretation.
>
>
>
> -Rich
>
>
>
>
>
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Friday, January 17, 2014 2:33 PM
> *To:* Rich Smith
> *Cc:* Jeremy Rowley; CABFPub
>
> *Subject:* Re: [cabfpub] BR Enterprise RAs
>
>
>
> Rich,
>
>
>
> Your original proposal didn't quite indicate the problem that you're
> trying to solve - or at least, the problem as you see it, and instead only
> presented the solution.
>
>
>
> Is the issue something to do with the applicable namespace? Is it trying
> to designate additional entities as Enterprise RAs?
>
>
>
> That is, I see a lot of problems with the proposal as written, and rather
> than trying to dissect them all, I'd like to try and understand what your
> end-goal is, to see how we can move there.
>
>
>
> Cheers,
>
> Ryan
>
>
>
> On Fri, Jan 17, 2014 at 11:30 AM, Rich Smith <richard.smith at comodo.com>
> wrote:
>
> How about editing both to:
>
> The CA MAY contractually authorize the Subject of a specified Valid
> Certificate to perform the RA function and authorize the CA to issue
> additional Certificates at ***the same or higher*** domain levels that are
> contained within the ***verified Domain Namespace*** of the original
> Certificate (also known as an Enterprise Certificate).  In such case, the
> Subject SHALL be considered an Enterprise RA, and the following
> requirements SHALL apply:
>
>
>
> *** indicates where I made the changes.
>
>
>
> -Rich
>
>
>
> *From:* Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
> *Sent:* Friday, January 17, 2014 12:58 PM
> *To:* 'Ryan Sleevi'; 'Rich Smith'
> *Cc:* 'CABFPub'
> *Subject:* RE: [cabfpub] BR Enterprise RAs
>
>
>
> Because the language comes straight from the EV Guidelines.  Maybe we
> should update both at the same time?
>
>
>
> *From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org<public-bounces at cabforum.org>]
> *On Behalf Of *Ryan Sleevi
> *Sent:* Friday, January 17, 2014 10:26 AM
> *To:* Rich Smith
> *Cc:* CABFPub
> *Subject:* Re: [cabfpub] BR Enterprise RAs
>
>
>
> Third or higher is insufficient for most ccTLDs (example.co.uk) or overly
> broad for gTLDs (foo.example).
>
> Is there a reason you didn't simply refer to the registered domain name
> (and any preceding labels)?
>
> That also covers the school.k12.wv.us type registrations as well.
>
> On Jan 17, 2014 9:19 AM, "Rich Smith" <richard.smith at comodo.com> wrote:
>
> Colleagues,
>
> In reviewing internal practices and BR compliance, we have discovered that
> the BRs seem to have a more restricted definition of what an Enterprise RA
> is allowed than the EV Guidelines.  I think this is due simply to the
> wording of the BRs rather than specific intent.  Because of that, I would
> like to propose the following amendment to the BRs.  Please review and let
> me know if you are willing to endorse.
>
>
>
> ----Motion Begins----
>
>
>
> Replace:
>
> 14.2.4      Enterprise RAs
>
> The CA MAY designate an Enterprise RA to verify certificate requests from
> the Enterprise RA’s own organization.
>
> The CA SHALL NOT accept certificate requests authorized by an Enterprise
> RA unless the following requirements are satisfied:
>
> 1.    The CA SHALL confirm that the requested Fully-Qualified Domain
> Name(s) are within the Enterprise RA’s verified Domain Namespace (see
> Section 7.1.2 para 1).
>
>
>
> With the following:
>
> 14.2.4      Enterprise RAs
>
> The CA MAY contractually authorize the Subject of a specified Valid
> Certificate to perform the RA function and authorize the CA to issue
> additional Certificates at third and higher domain levels that are
> contained within the domain of the original Certificate (also known as an
> Enterprise Certificate).  In such case, the Subject SHALL be considered an
> Enterprise RA, and the following requirements SHALL apply:
>
> (1)   An Enterprise RA SHALL NOT authorize the CA to issue an Enterprise
> Certificate at the third or higher domain levels to any Subject other than
> the Enterprise RA or a business that is owned or directly controlled by the
> Enterprise RA;
>
> (2)   In all cases, IF the Enterprise Certificate is to contain
> Organization details, the Subject of an Enterprise Certificate MUST be an
> organization verified by the CA in accordance with these Requirements;
>
> (3)   The CA MUST impose these limitations as a contractual requirement
> with the Enterprise RA and monitor compliance by the Enterprise RA; and,
>
> (4)   The audit requirements of Section 17.1 of these Requirements SHALL
> apply to the Enterprise RA, except in the case where the CA maintains
> control over the Root CA Private Key or Subordinate CA Private Key used to
> issue the Enterprise Certificates, in which case, the Enterprise RA MAY be
> exempted from the audit requirements.  In the case that the Enterprise RA
> is granted a Technically Constrained Subordinate CA Key, Section 17.9 of
> these audit requirements shall apply to the Enterprise RA.
>
>
>
>
>
> --
>
> Regards,
>
> Rich Smith
>
> Validation Manager
>
> Comodo
>
> http://www.comodo.com
>
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140117/f55d8dd0/attachment.html 


More information about the Public mailing list