[cabfpub] BR Enterprise RAs

Rich Smith richard.smith at comodo.com
Wed Jan 22 18:54:32 UTC 2014


I disagree.  Rob's point was that "...as of the date the Certificate was issued..." has to mean something, and given the unclear wording through out I have to agree, sort of, only because of the unclear wording, but as to intent:


1) 11.3 doesn't carve out an exception to 11.1.1.  It says, "The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate."


2) 14.2.4 states, "1.          The CA SHALL confirm that the requested Fully-Qualified Domain Name(s) are within the Enterprise RA’s verified Domain Namespace (see Section 7.1.2 para 1)."  Note the use of past-tense, "verified"


3) 17.5 first paragraph states, "If a Delegated Third Party is not currently audited in accordance with Section 17 and is not an Enterprise RA, then prior to certificate issuance the CA SHALL ensure that the domain control validation process required under Section 11.1 has been properly performed by the Delegated Third Party by either (1) using an out-of-band mechanism involving at least one human who is acting either on behalf of the CA or on behalf of the Delegated Third Party to confirm the authenticity of the certificate request or the information supporting the certificate request or (2) performing the domain control validation process itself."


TBH, going through this again, it's pretty clear to me that you and Rob are both wrong and that the three bits above clearly were put there specifically to exempt Enterprise RA from "...as of the date the Certificate was issued..." statement in 11.1.1.  I'm guessing that at this point you and I may have to agree to disagree, so I'd like to see someone else weigh in here.




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, January 22, 2014 12:52 PM
To: Rich Smith
Cc: Jeremy Rowley; CABFPub
Subject: Re: [cabfpub] BR Enterprise RAs




On Wed, Jan 22, 2014 at 9:31 AM, Rich Smith <richard.smith at comodo.com> wrote:


I'm a little confused.  Are you implying that the Domain Auth Document, alone of the methods listed in 11.1.1, would allow re-use for up to 39 months as per 11.3 in this case?  I'm not sure I understand the reasoning there.  In case it wasn't completely clear, the trouble we see is specifically the wording in 11.1.1 that says "...as of the date the Certificate was issued..."  Your suggestion that a Domain Auth Letter would solve the problem leads me to the conclusion that you agree with my original interpretation that 11.3 DOES apply to 11.1.1 just it it applies to everything else in 11.1, "...as of the date the Certificate was issued..." notwithstanding.  If it can be applied to one option in 11.1.1 then it can be applied to all, and we can close this discussion and move on.  If the consensus is that "...as of the date the Certificate was issued..." in 11.1.1 does not necessarily apply to EVERY certificate issued to an Enterprise RA, then the problem is solved.  We had some disagreement internally over this and came to the conclusion that the language is unclear, so I started this discussion.

All I'm trying to accomplish is to allow an Enterprise RA client, once domain control of example.com is established, to allow that to carry forward for some specified amount of time so that they don't have to re-verify domain control for every subsequent request for a certificate for sub-domains of example.com.


Given that we have already specified max validity of collected data at 39 months in Section 11.3, I would prefer to stick with that and simply clarify the wording.  I believe that was the intent when all this was originally written, but that it wasn't put down in clear language.  I can point to bits of language in various sections that support that conclusion.


If the consensus is that 39 months is too long of a max validity for this particular bit of data, fine, give me a max validity that you are comfortable with.







I wasn't trying to suggest that 11.3 applies to 11.1. Rather, I was trying to indicate that, _at time of issue_, the CA can examine a Domain Authorization Document. The second paragraph of 11.1.1 would apply when using a Domain Authorization Document, namely


"The CA MUST verify that the Domain Authorization Document was either (i) dated on or after the
certificate request date or (ii) used by the CA to verify a previously issued certificate and that the Domain Name’s
WHOIS record has not been modified since the previous certificate’s issuance."


This accomplishes the primary goal - demonstrating that the Enterprise RA is still authorized to direct issuance of names within their verified domain namespace (14.2.4) - without requiring a 'live' validation check every time.


To be clear, I definitely believe that the wording of 11.1.1 is specifically to *exempt* it from 11.3 - that is, 11.3 applies to all the other information (eg: country, organization name, other verified subject information), but MUST NOT apply to the domain, which MUST be checked at time of issuance. A "Domain Authorization Document" provides a means - independent of 11.3 - to 'cache' that.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140122/e2a4001d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140122/e2a4001d/attachment-0003.bin>

More information about the Public mailing list