[cabfpub] BR Enterprise RAs

Rob Stradling rob.stradling at comodo.com
Wed Jan 22 21:12:53 UTC 2014

On 22/01/14 18:54, Rich Smith wrote:
> TBH, going through this again, it's pretty clear to me that you and Rob
> are both wrong

Rich, just to be clear, I'm basing my comments on what the BRs actually 
say, since AIUI that's the standard against which the CAs are audited.

> and that the three bits above clearly were put there
> specifically to exempt Enterprise RA from "...as of the date the
> Certificate was issued..." statement in 11.1.1.

I'm not convinced that those three bits, as written, support that 

I have no idea whether or not the intent was for Enterprise RAs to be 
exempted from certain requirements.  You're more likely to know/remember 
than me!

> I'm guessing that at this point you and I may have to agree to disagree,

Which is why I long to see the BRs disambiguated.  ;-)

> so I'd like to see someone else weigh in here.


> -Rich
> *From:*Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Wednesday, January 22, 2014 12:52 PM
> *To:* Rich Smith
> *Cc:* Jeremy Rowley; CABFPub
> *Subject:* Re: [cabfpub] BR Enterprise RAs
> On Wed, Jan 22, 2014 at 9:31 AM, Rich Smith <richard.smith at comodo.com
> <mailto:richard.smith at comodo.com>> wrote:
> Ryan,
> I'm a little confused.  Are you implying that the Domain Auth Document,
> alone of the methods listed in 11.1.1, would allow re-use for up to 39
> months as per 11.3 in this case?  I'm not sure I understand the
> reasoning there.  In case it wasn't completely clear, the trouble we see
> is specifically the wording in 11.1.1 that says "...as of the date the
> Certificate was issued..."  Your suggestion that a Domain Auth Letter
> would solve the problem leads me to the conclusion that you agree with
> my original interpretation that 11.3 DOES apply to 11.1.1 just it it
> applies to everything else in 11.1, "...as of the date the Certificate
> was issued..." notwithstanding.  If it can be applied to one option in
> 11.1.1 then it can be applied to all, and we can close this discussion
> and move on.  If the consensus is that "...as of the date the
> Certificate was issued..." in 11.1.1 does not necessarily apply to EVERY
> certificate issued to an Enterprise RA, then the problem is solved.  We
> had some disagreement internally over this and came to the conclusion
> that the language is unclear, so I started this discussion.
> All I'm trying to accomplish is to allow an Enterprise RA client, once
> domain control of example.com <http://example.com> is established, to
> allow that to carry forward for some specified amount of time so that
> they don't have to re-verify domain control for every subsequent request
> for a certificate for sub-domains of example.com <http://example.com>.
> Given that we have already specified max validity of collected data at
> 39 months in Section 11.3, I would prefer to stick with that and simply
> clarify the wording.  I believe that was the intent when all this was
> originally written, but that it wasn't put down in clear language.  I
> can point to bits of language in various sections that support that
> conclusion.
> If the consensus is that 39 months is too long of a max validity for
> this particular bit of data, fine, give me a max validity that you are
> comfortable with.
> -Rich
> Rich,
> I wasn't trying to suggest that 11.3 applies to 11.1. Rather, I was
> trying to indicate that, _at time of issue_, the CA can examine a Domain
> Authorization Document. The second paragraph of 11.1.1 would apply when
> using a Domain Authorization Document, namely
> "The CA MUST verify that the Domain Authorization Document was either
> (i) dated on or after the
> certificate request date or (ii) used by the CA to verify a previously
> issued certificate and that the Domain Name’s
> WHOIS record has not been modified since the previous certificate’s
> issuance."
> This accomplishes the primary goal - demonstrating that the Enterprise
> RA is still authorized to direct issuance of names within their verified
> domain namespace (14.2.4) - without requiring a 'live' validation check
> every time.
> To be clear, I definitely believe that the wording of 11.1.1 is
> specifically to *exempt* it from 11.3 - that is, 11.3 applies to all the
> other information (eg: country, organization name, other verified
> subject information), but MUST NOT apply to the domain, which MUST be
> checked at time of issuance. A "Domain Authorization Document" provides
> a means - independent of 11.3 - to 'cache' that.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list