[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft (2)

Ryan Sleevi sleevi at google.com
Thu Apr 20 17:57:58 UTC 2017


On Thu, Apr 20, 2017 at 12:39 PM, Gervase Markham via Public <
public at cabforum.org> wrote:

> 1) In section 1.3.2 of the Baseline Requirements, replace the following sentence:
>
> "The CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2."
>
> with:
>
> "With the exception of sections 3.2.2.4 and 3.2.2.5, the CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2."
>
>
Based on our description, I believe your intent is also to cover Section
3.2.2.6, correct?

The concern raised in Raleigh that this introduces is that it effectively
forbids Enterprise RAs from managing the validation of domains beneath the
Domain Namespace that the CA has verified. This is because Enterprise RAs
are Delegated Third Parties.

Is your intent to restrict such Enterprise RAs to only performing Subject
Name validation?

At present, 3.2.2.4 (nor the proposed updates in Ballot 190) permit blanket
authorizations by Domain Namespace. I suspect that if Section 3.2.2.4 were
modified to permit the validation of such requests at the Domain Namespace
level, and the corresponding reuse of such information permitted, then the
meaningful benefit of an Enterprise RA could be met without the necessity
of introducing the concept.

That is, if 3.2.2.4 were worded to somehow suggest that:
"The CA SHALL confirm that, as of the date the Certificate issues, the CA
has validated each Fully‐Qualified Domain Name (FQDN) listed in the
Certificate using at least one of the methods listed below, or is within
the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has been
validated using at least one of the methods listed below. "

Then this might be able to satisfy the concern over Enterprise RAs. It
changes the relationship from permitting an Enterprise RA to have
unconstrained issuance, but contractual restriction, to being one of
technical restriction, by requiring that for every FQDN, the CA validate it
is within the Domain Namespace of a (potentially previously) validated FQDN.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170420/24f310f2/attachment-0003.html>


More information about the Public mailing list