[cabfpub] BR Enterprise RAs

Rich Smith richard.smith at comodo.com
Fri Jan 17 17:18:59 UTC 2014


In reviewing internal practices and BR compliance, we have discovered that
the BRs seem to have a more restricted definition of what an Enterprise RA
is allowed than the EV Guidelines.  I think this is due simply to the
wording of the BRs rather than specific intent.  Because of that, I would
like to propose the following amendment to the BRs.  Please review and let
me know if you are willing to endorse.


----Motion Begins----



14.2.4      Enterprise RAs

The CA MAY designate an Enterprise RA to verify certificate requests from
the Enterprise RA's own organization.

The CA SHALL NOT accept certificate requests authorized by an Enterprise RA
unless the following requirements are satisfied:

1.    The CA SHALL confirm that the requested Fully-Qualified Domain Name(s)
are within the Enterprise RA's verified Domain Namespace (see Section 7.1.2
para 1).


With the following:

14.2.4      Enterprise RAs

The CA MAY contractually authorize the Subject of a specified Valid
Certificate to perform the RA function and authorize the CA to issue
additional Certificates at third and higher domain levels that are contained
within the domain of the original Certificate (also known as an Enterprise
Certificate).  In such case, the Subject SHALL be considered an Enterprise
RA, and the following requirements SHALL apply:

(1)   An Enterprise RA SHALL NOT authorize the CA to issue an Enterprise
Certificate at the third or higher domain levels to any Subject other than
the Enterprise RA or a business that is owned or directly controlled by the
Enterprise RA;

(2)   In all cases, IF the Enterprise Certificate is to contain Organization
details, the Subject of an Enterprise Certificate MUST be an organization
verified by the CA in accordance with these Requirements; 

(3)   The CA MUST impose these limitations as a contractual requirement with
the Enterprise RA and monitor compliance by the Enterprise RA; and,

(4)   The audit requirements of Section 17.1 of these Requirements SHALL
apply to the Enterprise RA, except in the case where the CA maintains
control over the Root CA Private Key or Subordinate CA Private Key used to
issue the Enterprise Certificates, in which case, the Enterprise RA MAY be
exempted from the audit requirements.  In the case that the Enterprise RA is
granted a Technically Constrained Subordinate CA Key, Section 17.9 of these
audit requirements shall apply to the Enterprise RA.





Rich Smith

Validation Manager


 <http://www.comodo.com/> http://www.comodo.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140117/bcce3630/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140117/bcce3630/attachment-0002.bin>

More information about the Public mailing list