[cabfpub] Draft CAA motion (3)

Gervase Markham gerv at mozilla.org
Fri Jan 13 10:24:58 UTC 2017

On 12/01/17 18:47, Steve Medin via Public wrote:
> The proposed amendment does not invalidate and is in conflict with:
> BR 4.1.2. Enrollment Process and Responsibilities, specifically:
> One certificate request MAY suffice for multiple Certificates to be
> issued to the same Applicant, subject to the aging and updating
> requirement in Section 3.3.1, provided that each Certificate is
> supported by a valid, current certificate request signed by the
> appropriate Applicant Representative on behalf of the Applicant.

Can you explain why there is a conflict here? This says that the
Applicant can send you one CSR and you can use it to create multiple
certificates. I'm not sure how that idea is in conflict with the
requirement to check CAA every time you issue one.

> And as Bruce states, the entirety of EVG 11.8.4.

Again, I see no conflict, so you will need to explain exactly where you
think it is.

> In the latter, it is unclear whether the requirement to revoke EV
> Authority ranks above or below CAA assertions in order of interpretation
> unless romanette ii’s periodic re-confirmation of the EV Authority of
> the Certificate Approver is hourly.

Can you explain the scenario you think is problematic? That someone with
EV Authority tries to get an EV cert issued and there is an adverse CAA
record? I don't think the document says that the say-so of someone with
EV Authority is necessarily the only permission-like thing that a CA
needs in order to issue an EV certificate. So I would see the two checks
(EV Authority approval and CAA) as additive.


More information about the Public mailing list