[cabfpub] EV Guidelines §14.2 delegation of functions to RAs etc.

Ryan Sleevi sleevi at google.com
Fri Aug 5 08:11:03 MST 2016 

On Aug 4, 2016 11:56 PM, "Adriano Santoni" <adriano.santoni at staff.aruba.it>
wrote:
>
> Ok,. but what is (was) the ratio for that constraint?

I can't answer that. I can only answer what the text says, which prohibits
what you want.

>
> Assume the following:
>
> 1) A certain company (say "ACME Corp") owns/controls several 2nd level
domains (two or more).
>
> 2) That company wants EV certificates, from a certain CA, for two or more
of those domains, or possibly all of them.
>
> 3) The same company would like to be authorized as an Enterprise RA by
the said CA.
>
> Now assume that the said CA, first of all, verifies (with _positive
result_) that *all* of those domains are actually owned/controlled by ACME.
>
> Next, the CA verifies that all requirements for issuing the first EV
certificate (for any one of those domains) are met, and therefore issues
the first EV certificate.

For xxx.example. From your description, at no point has a yyy.example
certificate been publicly issued, correct?

>
> At this point, why should ACME not be allowed to act as an Enterprise RA
and thus obtain by themselves (in compliance with all applicable reqs. for
Enterprise RAs) the desired EV certificates for the remaining 2nd level
domains ?
>
> What would be the implied risk of allowing that?
>
> Adriano
>
>
>
> Il 04/08/2016 23:24, Ryan Sleevi ha scritto:
>>
>> You're saying the original certificate is xxx.example, and the new
certificate is for xxx.example and yyy.example?
>>
>> No, it would not be appropriate, because yyy.example was not "contained
within the domain of the original EV certificate"
>>
>> On Thu, Aug 4, 2016 at 6:19 AM, Adriano Santoni <
adriano.santoni at staff.aruba.it> wrote:
>>>
>>> All,
>>>
>>> I have a doubt regarding §14.2 of EV guidelines, and particularly
§14.2.2 (Enterprise RAs) that reads:
>>>
>>> "The CA MAY contractually authorize the Subject of a specified Valid EV
Certificate to perform the RA function and authorize the CA to issue
additional EV Certificates at third and higher domain levels that are
contained within the domain of the original EV Certificate (also known as
an Enterprise EV Certificate). In such case, the Subject SHALL be
considered an Enterprise RA, and the following requirements SHALL apply:
..."
>>>
>>> Now, let's assume that a certain company owns/controls two or more
domains, say xxx.com and yyy.net, and that the "original EV Certificate"
(quoted from above) was issued by the CA for any one of those domains (say
xxx.com): under these conditions, would it be okay to authorize that
company to act as an Enterprise RA for the remaining 2nd-level domains that
it owns/controls ?
>>>
>>> Based on §14.2.2, it seems not.
>>>
>>> Adriano
>>>
>>>
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
>>>
>>
>
> --
>
> Cordiali saluti,
>
> Adriano Santoni
> ACTALIS S.p.A.
> (Aruba Group)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160805/bb2f1c14/attachment.html

More information about the Public mailing list