[cabfpub] Preballot - Revised Ballot 190

Ryan Sleevi sleevi at google.com
Fri May 19 22:43:12 UTC 2017

How does that fit with the quoted Section 4.1.2?

"The certificate request MUST contain a request from, or on behalf of, the
Applicant for the issuance of a Certificate, and a certification by, or on
behalf of, the Applicant that all of the information contained therein is

1) If there is no certificate request, is there an Applicant at the time
the CA begins validating information?
2) If there is no certificate request, and/or there is no Applicant, how is
the information the CA validated conforming with Section 3.2, which Section
4.2.1 references?

Those are two reasons why I do not believe the scenario is permitted.

On Fri, May 19, 2017 at 6:37 PM, Geoff Keating <geoffk at apple.com> wrote:

> Hi Ryan,
> I don’t think there’s anything in the BRs that says that particular
> validation steps must happen before other steps, so long as the appropriate
> time limits are honored.  Your example where a CA finds an existing
> certificate for a prospective customer, validates everything in that
> certificate (for example checking domain name against organization name
> using whois), and then contacts the prospective customer (for example, via
> postal address in company registration, matched against whois) and asks if
> they’d like a replacement certificate and if all the details are correct,
> seems permitted to me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170519/9bf3b7b3/attachment-0003.html>

More information about the Public mailing list