[cabfpub] BR Enterprise RAs

Ryan Sleevi sleevi at google.com
Wed Jan 22 18:54:51 MST 2014 

On Wed, Jan 22, 2014 at 12:47 PM, Rob Stradling <rob.stradling at comodo.com>wrote:

> On 22/01/14 17:52, Ryan Sleevi wrote:
> <snip>
>
>  To be clear, I definitely believe that the wording of 11.1.1 is
>> specifically to *exempt* it from 11.3 - that is, 11.3 applies to all the
>> other information (eg: country, organization name, other verified
>> subject information), but MUST NOT apply to the domain, which MUST be
>> checked at time of issuance. A "Domain Authorization Document" provides
>> a means - independent of 11.3 - to 'cache' that.
>>
>
> Ryan,
>
> If 11.3 doesn't apply to 11.1.1 _at all_, then a CA could rely on a Domain
> Authorization Document _forever_, as long as it was "(ii) used by the CA to
> verify a previously issued certificate and that the Domain Name's WHOIS
> record has not been modified since the previous certificate's issuance."
>
> Surely the intent was that 11.3 should cap the length of time that a CA
> may rely on a Domain Authorization Document to a maximum of 39 months?
>

Why? If WHOIS hasn't changed, there's no (public) indicator that the
authorization is no longer valid.

As long as, for every certificate being issued, the CA is checking the
WHOIS to ensure no changes since the Domain Authorization Document was
received, I'm not sure I'd see the problem.

I'd still expect the certs themselves to be constrained (to the 60 or 39
month period, depending on BRs or EVGs), but as long as the WHOIS data has
not changed (which would include Updated Date, Creation Data, and
Expiration Date), I don't see why there would be an issue relying on the
document.


>
> I think the intent of 11.3 was to impose a restriction rather than to
> grant permission.  Therefore, it would've made a lot more sense for it to
> say "The CA MUST NOT <list of restrictions>" rather than "The CA MAY...".
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140122/8e24b958/attachment.html

More information about the Public mailing list