[cabfpub] BR Enterprise RAs

Ryan Sleevi sleevi at google.com
Fri Jan 17 17:26:05 UTC 2014


Third or higher is insufficient for most ccTLDs (example.co.uk) or overly
broad for gTLDs (foo.example).

Is there a reason you didn't simply refer to the registered domain name
(and any preceding labels)?

That also covers the school.k12.wv.us type registrations as well.
On Jan 17, 2014 9:19 AM, "Rich Smith" <richard.smith at comodo.com> wrote:

> Colleagues,
>
> In reviewing internal practices and BR compliance, we have discovered that
> the BRs seem to have a more restricted definition of what an Enterprise RA
> is allowed than the EV Guidelines.  I think this is due simply to the
> wording of the BRs rather than specific intent.  Because of that, I would
> like to propose the following amendment to the BRs.  Please review and let
> me know if you are willing to endorse.
>
>
>
> ----Motion Begins----
>
>
>
> Replace:
>
> 14.2.4      Enterprise RAs
>
> The CA MAY designate an Enterprise RA to verify certificate requests from
> the Enterprise RA’s own organization.
>
> The CA SHALL NOT accept certificate requests authorized by an Enterprise
> RA unless the following requirements are satisfied:
>
> 1.    The CA SHALL confirm that the requested Fully-Qualified Domain
> Name(s) are within the Enterprise RA’s verified Domain Namespace (see
> Section 7.1.2 para 1).
>
>
>
> With the following:
>
> 14.2.4      Enterprise RAs
>
> The CA MAY contractually authorize the Subject of a specified Valid
> Certificate to perform the RA function and authorize the CA to issue
> additional Certificates at third and higher domain levels that are
> contained within the domain of the original Certificate (also known as an
> Enterprise Certificate).  In such case, the Subject SHALL be considered an
> Enterprise RA, and the following requirements SHALL apply:
>
> (1)   An Enterprise RA SHALL NOT authorize the CA to issue an Enterprise
> Certificate at the third or higher domain levels to any Subject other than
> the Enterprise RA or a business that is owned or directly controlled by the
> Enterprise RA;
>
> (2)   In all cases, IF the Enterprise Certificate is to contain
> Organization details, the Subject of an Enterprise Certificate MUST be an
> organization verified by the CA in accordance with these Requirements;
>
> (3)   The CA MUST impose these limitations as a contractual requirement
> with the Enterprise RA and monitor compliance by the Enterprise RA; and,
>
> (4)   The audit requirements of Section 17.1 of these Requirements SHALL
> apply to the Enterprise RA, except in the case where the CA maintains
> control over the Root CA Private Key or Subordinate CA Private Key used to
> issue the Enterprise Certificates, in which case, the Enterprise RA MAY be
> exempted from the audit requirements.  In the case that the Enterprise RA
> is granted a Technically Constrained Subordinate CA Key, Section 17.9 of
> these audit requirements shall apply to the Enterprise RA.
>
>
>
>
>
> --
>
> Regards,
>
> Rich Smith
>
> Validation Manager
>
> Comodo
>
> http://www.comodo.com
>
>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140117/b9daa080/attachment-0003.html>


More information about the Public mailing list