[cabfpub] BR Enterprise RAs

Rob Stradling rob.stradling at comodo.com
Wed Jan 22 20:47:22 UTC 2014

On 22/01/14 17:52, Ryan Sleevi wrote:
> To be clear, I definitely believe that the wording of 11.1.1 is
> specifically to *exempt* it from 11.3 - that is, 11.3 applies to all the
> other information (eg: country, organization name, other verified
> subject information), but MUST NOT apply to the domain, which MUST be
> checked at time of issuance. A "Domain Authorization Document" provides
> a means - independent of 11.3 - to 'cache' that.


If 11.3 doesn't apply to 11.1.1 _at all_, then a CA could rely on a 
Domain Authorization Document _forever_, as long as it was "(ii) used by 
the CA to verify a previously issued certificate and that the Domain 
Name's WHOIS record has not been modified since the previous 
certificate's issuance."

Surely the intent was that 11.3 should cap the length of time that a CA 
may rely on a Domain Authorization Document to a maximum of 39 months?

I think the intent of 11.3 was to impose a restriction rather than to 
grant permission.  Therefore, it would've made a lot more sense for it 
to say "The CA MUST NOT <list of restrictions>" rather than "The CA MAY...".

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list