[cabfpub] How a Certificate Is Issued - the Baseline Requirements Version

Ryan Sleevi sleevi at google.com
Fri Apr 14 16:55:01 UTC 2017

Peter asked, in https://cabforum.org/pipermail/public/2017-April/010392.html
, that I write up how I believe the Baseline Requirements permit a
certificate to be issued.

I will attempt to explain, with supporting citations to the existing
Requirements, so that member CAs who disagree with this can provide the
relevant Baseline Requirements clauses that may exempt from this.

   1. A Certificate Request is received.
      1. There is no technical requirement as to the format of the request.
      It could be a CSR, potentially even one with an invalid
signature. It could
      be a call to an API. It could be a phone call requesting a certificate.
      2. The request, as used in the BRs, refers to the logical process
      that aggregates all of the information, and that information may be
      aggregated over a series of interactions or exchanges. At a minimum, a
      Request must include a public key, whether explicitly or implicitly
      3. The CA must archive the request, as well as all data supporting
      the request, for at least seven years after any certificate
issued expires
      (Section 5.5.2)
      4. The CA must record that the request was made, all information
      generated and documentation received in conjunction with the request
      (Section 5.4.1)
   2. The CA must ensure it has an executed Subscriber Agreement or Terms
   of Use (Section 4.1.2)
   3. The request does not need to contain all of the information related
   to the certificate (Section 4.2.1). If it does not, the CA shall obtain it
   either from the applicant or a reliable, independent third-party data
   source which is then confirmed with the applicant.
   4. The CA must verify every request independent of any past actions
   (Section 4.2.1, "The CA SHALL establish and follow a documented procedure
   for verifying all data requested for inclusion in the Certificate by the
   Applicant.", "The CA MAY use the documents and data provided in Section 3.2
   to verify certificate information" - note, active tense)
   5. The CA may use previously obtained information consistent with that
   validation, provided that it reverifies that data
      1. For example, if a certificate request includes the name or address
      of an organization (Section, then the CA may verify that request
      by using data previously obtained from one of the data sources enumerated
      therein. The CA MUST verify that the information in the request is
      consistent with that dataset. For a programmatic verification,
this may be
      as 'simple' as checking an equality check with the existing documents.
   6. The documents and data used MUST be consistent with the policies
   related to the certificate at the time of issuance.
   1. For example, if a domain was verified using, and the data
      and documents used to support that verification are no longer accepted by
      the in-force version of the Baseline Requirements, the CA MUST NOT issue
      the certificate. This is consistent with Section 4.2.1
enumerating that the
      CA MUST verify the information.
   7. The CA MAY designate a third party to do this verification. This is
   called a Delegated Third Party (Section 1.3.2)
      1. All Delegated Third Parties MUST meet the obligations stated
      within Section 1.3.2
         1. They must be qualified per Section 5.3.1
         2. They must retain all documentation per 5.5.2
         3. They must abide by the Baseline Requirements at all times
         4. They must comply either with the CA's CP/CPS or their CA/CPS,
         which must comply with the BRs
      2. An Enterprise RA is a Delegated Third Party (Section 8.4, "If a
      Delegated Third Party is not currently audited in accordance
with Section 8
      and is not an Enterprise RA", "and the Delegated Third Party is not an
      Enterprise RA")
      3. If an Enterprise RA is used, then in addition to the above
      stipulations, the CA must ALSO ensure
         1. The CA confirms that the FQDN is within the Enterprise RA's
         verified Domain Namespace
            1. While the use of the past-tense "verified" here may imply
            the use of a previous verification, this would not be
consistent with the
            application of Section 4.2.1 and Section 3.2. The
interpretation of this is
            that the CA must, for every certificate issued by the
Enterprise RA, verify
            that Enterprise RA's domain namespace using one of the
methods in Section
            3.2, using data and documents that may have been
previously obtained (Per
            Section 4.2.1). The Enterprise RA is thus responsible for
verifying the
            portion of the Domain Namespace beneath that.
         2. For every name in the Subject other than the FQDN, the CA MUST
         ensure, for every certificate, that the name is either that
of a delegated
         enterprise, or an affiliate of the delegated enterprise, or that the
         delegated enteprise is an agent of the named Subject.
            1. This verification may also be implemented via technical
            controls as an equality check. For example, that "Document
Foo" establishes
            that Applicant Bar (An Enterprise RA) is authorized for
"ABC Co.". Any
            subsequent certificate requests can compare if the name is
"ABC Co.", and
            if so, has met its obligations with respect to continuous
verification and
            the reuse of information
         4. Unless the Enterprise RA is audited, the CA must have a
      Validation Specialist employed by the CA perform ongoing quarterly audits
      of the greater of one certificate or three percent of certificates issued
      (Section 8.7)
         1. This means all Enterprise RAs should be undergoing an audit
         performed by the CA's Validation Specialist
      5. The CA must ensure that Delegated Third Parties, which includes
      Enterprise RAs, uses a process that provides at least the same level of
      assurance as the CA's own processes (Section 4.2.1)
         1. If a CA implements a domain blacklist, for example, it MUST
         ensure that Enterprise RAs implement the same domain blacklist
      8. For domain names, and domain names only, "Completed Confirmations
   of Applicant Authority may be valid for the issuance of multiple
   certificates over time. In all cases, the confirmation must have been
   initiated within the time period specified in the relevant requirement
   (such as Section 3.3.1 of this document) prior to certificate issuance."
      1. "such as" is illustrative, not exhaustive. As such, despite the
      relevant section number being incorrect (It's 4.2.1 not 3.3.1), that does
      not normatively change the requirement
      2. Individual sections may specify more or less restrictive
      timelines. This is the discussion related to Ballot 186 in
conjunction with
      190. The proposed 190, for example, limits the use of a Random Value in to 30 days, which thus limits the use, even in the presence of
      Section 4.2.1
         1. Section of Ballot 190 attempts to draw an equivalence
         to 30 days or that permitted by 4.2.1. While repeating the
same mistake as
         the existing text, of referencing Section 3.3.1, it is a
         example set, and thus accomplishes the intended goal, even if
         the wrong section as an example.

The combination of these means that an acceptable flow is as follows, using
Peter's example

   - Customer contracts with CA for certificates and to establish an
   Enterprise RA
   - Customer and CA negotiate credentials
      - The credentials used must conform with the NCSRs if the CA is
      audited to the NCSRs, because Enterprise RAs are DTPs, and thus the CA's
      relationship to them is subject to the NCSRs
   - CA obtains documents that cover evidence of identity (for OV/EV) and
   evidence of domain control/authorization for customer specified identities
   and domains
   - CA receives application for certificate from Enterprise RA,
   authentication based on #2
   - The CA uses information collection to verify the information in the
      - The CA MUST verify the Enterprise RA is authorized for the Domain
         - This MAY use the previously obtained data and documents. In this
         case, the CA MUST verify that the requested name matches the data or
         document as defined in Section This may simply be an equality
         check using information a Validation Specialist previously
entered as data
         to be associated with the document (Section 4.2.1). For some
         as, the CA MUST ensure it meets the clauses of either (i) or
         (ii), which are more than 'simple' equality checks.
         - OR This MAY reuse a completed confirmation of applicant
         authority, provided if and only if the applicant authority is
         with the then-current Section (Section, for
(at present),
         a period of up to 39 months, unless that period is reduced a specific
         clause within Section*, such as (Section,
         Section 4.2.1, Section*)
      - The CA MUST verify domain name is within the authorized Domain
      Namespace (Section 1.3.2)
      - The CA MUST confirm that the Subject information, if any, meets the
      requirements of Enterprise RA authority (Section 1.3.2)
         - This MAY use previously obtained data and documents. In this
         case, the CA MUST verify the requested Subject name matches
the data or
         documents as defined in Section 3.2. This may simply be an
equality check
         using information a Validation Specialist previously entered
as data to be
         associated with the document (Section 4.2.1)
      - If verified, issues certificate
   - Every quarter, a Validation Specialist at the CA verifies the greater
   of one certificate or three percent of the certificates issued by the
   Enterprise RA to assess compliance with the contract and CP/CPS (Section
   8.7), including restrictions on identifying and verifying High Risk
   Requests (Section 4.2.1)
   - The Enterprise RA MUST maintain all documentation for a period of at
   least seven years since the last certificate expired (Section 1.3.2,
   Section 5.5.2)
   - The Enterprise RA MUST ensure all of its personnel involved in
   issuance have had their identity and trustworthiness verified (Section
   1.3.2, Section 5.3.1)

Here's the important takeaways:

   - There's nothing (that I can tell) to support the idea that a
   previously Completed Confirmation of Applicant Authority may be re-used if
   the previous method is no longer permitted under the current BRs
   - There's nothing (that I can tell) to support the idea that for
   non-domain related changes, you can 'reuse' the previous verification. You
   must reverify the information, however, the act of reverifying may simply
   be a programatic check of the Validation Data associated with a previous
   - There's nothing (that I can tell) to support that you can obtain the
   data prior to an Applicant making a Certificate Request. The applicant may
   include that information in their request. Alternatively, the CA may get
   that information from a reliable, independent, third-party source after the
   Request is made, but must confirm that with the Applicant (per Section
   4.2.1). This implies that a CA who obtains the information before the
   Request is no longer obtaining it from a reliable, independent, third-party
   source, but from a first-party source. This is perhaps an area of
   disagreement regarding the agreement between "the CA SHALL, ... or, having
   obtained..." as to whether the 'obtained' is allowed to precede the
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/24582c9a/attachment-0002.html>

More information about the Public mailing list