[cabfpub] Preballot - Revised Ballot 190

Ryan Sleevi sleevi at google.com
Fri May 19 22:07:59 UTC 2017

On Fri, May 19, 2017 at 6:00 PM, Peter Bowen <pzb at amzn.com> wrote:
> Yes, it does.  We know that CAs can generate keys on behalf of the
> subscriber, so it is clear that a public key is not required.  This means
> that a CA could take the request for “issue a certificate to example.com”,
> do validation and key generation, throw away the private key, issue the
> cert, and end up with a “pre-validated” domain.  This is compliant.  The
> generated cert could have some flag in it, similar to a pre-cert, that
> makes it unusable for any real world purpose, and it would still be fine.
> But this is silly.  We don’t want to have hoop jumping for no discernible
> value.
> Can you suggest a change that you feel would make it clear that CAs may
> validate identities (organizations, domains, etc) independent of issuing
> certificates and use the documents and data gathered during such validation
> for future issuance, subject to the aging requirement of 4.2.1?  I would
> suggest a change myself, but I’m not quite clear which part of the BRs you
> feel prevents this today.

The BRs are gated on the concept of an Applicant - all of the validation is
done in concert and connection with an Applicant.

I'm not sure how it makes sense for CAs to have, say, a prevalidated set of
organizations, any of which can apply and thus reuse the information.

Put differently: Do you think it would be BR conformant if a CA looked
through CT, determined which organizations had OV/EV certs, worked through
QIIS/QGIS's to 'prevalidate' the organizational information related to it,
and then approached all customers with the remark "We can give you a
certificate in 30 seconds?"

It may be that the answer is yes - that the extent of the CAs obligations
(to validate the documents and domain, in absentia of an Applicant) are met.
It may be that the answer is no - that a CA cannot begin doing some form of
validation until contacted by an Applicant.

But I think understanding the specific answer to this scenario can help
inform whether or not an "Applicant" is required to make a certificate
request before being, well, an "Applicant".

If they are required to make a request, then naturally, it follows that
your so-called hoop-jumping is necessary, since there is a minimum
definition of what constitutes a certificate request.
If they are not required to make a request, then naturally, the scenario I
described is the logical extreme, in which the CA can validate 'everything
but the application'. To further add to the extreme, it might be possible
for the CA to pre-generate the public key, and just call up the subscriber
and say "Do you want a cert" - with that assent being sufficient to
constitute an "Application"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170519/2a0409da/attachment-0003.html>

More information about the Public mailing list