[cabfpub] BR Enterprise RAs

Ryan Sleevi sleevi at google.com
Wed Jan 22 17:52:03 UTC 2014

On Wed, Jan 22, 2014 at 9:31 AM, Rich Smith <richard.smith at comodo.com>wrote:

> Ryan,
> I'm a little confused.  Are you implying that the Domain Auth Document,
> alone of the methods listed in 11.1.1, would allow re-use for up to 39
> months as per 11.3 in this case?  I'm not sure I understand the reasoning
> there.  In case it wasn't completely clear, the trouble we see is
> specifically the wording in 11.1.1 that says "...as of the date the
> Certificate was issued..."  Your suggestion that a Domain Auth Letter would
> solve the problem leads me to the conclusion that you agree with my
> original interpretation that 11.3 DOES apply to 11.1.1 just it it applies
> to everything else in 11.1, "...as of the date the Certificate was
> issued..." notwithstanding.  If it can be applied to one option in 11.1.1
> then it can be applied to all, and we can close this discussion and move
> on.  If the consensus is that "...as of the date the Certificate was
> issued..." in 11.1.1 does not necessarily apply to EVERY certificate issued
> to an Enterprise RA, then the problem is solved.  We had some disagreement
> internally over this and came to the conclusion that the language is
> unclear, so I started this discussion.
> All I'm trying to accomplish is to allow an Enterprise RA client, once
> domain control of example.com is established, to allow that to carry
> forward for some specified amount of time so that they don't have to
> re-verify domain control for every subsequent request for a certificate for
> sub-domains of example.com.
> Given that we have already specified max validity of collected data at 39
> months in Section 11.3, I would prefer to stick with that and simply
> clarify the wording.  I believe that was the intent when all this was
> originally written, but that it wasn't put down in clear language.  I can
> point to bits of language in various sections that support that conclusion.
> If the consensus is that 39 months is too long of a max validity for this
> particular bit of data, fine, give me a max validity that you are
> comfortable with.
> -Rich


I wasn't trying to suggest that 11.3 applies to 11.1. Rather, I was trying
to indicate that, _at time of issue_, the CA can examine a Domain
Authorization Document. The second paragraph of 11.1.1 would apply when
using a Domain Authorization Document, namely

"The CA MUST verify that the Domain Authorization Document was either (i)
dated on or after the
certificate request date or (ii) used by the CA to verify a previously
issued certificate and that the Domain Name’s
WHOIS record has not been modified since the previous certificate’s

This accomplishes the primary goal - demonstrating that the Enterprise RA
is still authorized to direct issuance of names within their verified
domain namespace (14.2.4) - without requiring a 'live' validation check
every time.

To be clear, I definitely believe that the wording of 11.1.1 is
specifically to *exempt* it from 11.3 - that is, 11.3 applies to all the
other information (eg: country, organization name, other verified subject
information), but MUST NOT apply to the domain, which MUST be checked at
time of issuance. A "Domain Authorization Document" provides a means -
independent of 11.3 - to 'cache' that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140122/5be54ea6/attachment-0003.html>

More information about the Public mailing list