[cabfpub] Preballot - Revised Ballot 190

Geoff Keating geoffk at apple.com
Mon May 22 17:27:12 UTC 2017

I feel like we’re going around in circles here.

The question you’re asking is wrong.  It is not a valid question.  It is a question that relies on false premises.

At the time that the baseline requirements apply, that is the moment of certificate issuance, it is not possible that you can be considering the correctness of a validation without having an Applicant and a request.  If there isn’t an Applicant, or there isn’t a request, the certificate is already misissued and so it does not matter what validations were done.

The baseline requirements describe the validations that must have been done.  They do this in the context of the Applicant and request that applied to this specific certificate issuance.  These validations must have been done (that is, they must be in the past) at the time of issuance.  Before, when the validations were actually done, it might not have been possible to know which certificate(s) they were being done for, but that is irrelevant to the BRs.

This is made exceptionally clear in section,

> The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.

Reading this carefully, you see that the CA’s responsibility for validation occurs at "the date the Certificate issues”. Then in section 4.1.2, you have also the very clear sentence

> Prior to the issuance of a Certificate, the CA SHALL obtain from the Applicant a certificate request in a form prescribed by the CA and that complies with these Requirements

This occurs “Prior to the issuance” and therefore before “the date the Certificate issues”.  So at the time the CA is responsible for confirming that validations have been performed, the CA already has “obtain[ed] from the Applicant a certificate request”.

You ask ‘how do you do the validations without an Applicant’.  The question is, as I said, incorrect, in that at the relevant time it is clear who the Applicant is, but here’s an example which answers what I think is the better question, which is how you do the validations first and obtain the request later:

1. A new user creates an account in a CA’s system, identified by username and password
2. The new user indicates they would like to validate example.com as controlled by them
3. The CA’s system looks up example.com in whois and sends an e-mail to the administrative contact, admin at example.com
4. The user, who is logged in, confirms they received the e-mail by supplying the random token
5. The user, who is logged in, now asks for a DV certificate for site.example.com
6. The user, who is logged in, accepts the subscriber agreement for this and all future certificates
7. The user, who is logged in, supplies a CSR for the request
8. The certificate issues, based on the user being the Applicant, step 5 being the request (and step 7 being ‘additional information’), and step 4 being the domain validation.

Now, do you think this certificate is mis-issued under the BRs?  Does it matter if after this process, it continues:

9. A few minutes later, the user, who is still logged in, now asks for another DV certificate for site2.example.com
10. The user, who is logged in, supplies a CSR for the request
11. The certificate issues, based on the user being the Applicant, step 9 being the request (and step 10 being ‘additional information’), and step 4 being the domain validation.

Is this mis-issued?

> On 22 May 2017, at 8:18 am, Ryan Sleevi <sleevi at google.com> wrote:
> How do you do _any_ of the validations without an Applicant, and how do you have an Applicant without a request - that was the core question.
> On Mon, May 22, 2017 at 4:46 AM, Geoff Keating <geoffk at apple.com> wrote:
> All the BRs say is that a request has to happen before a certificate is issued.  They don’t say a request has to happen before any validations occur.
> A CA issues a certificate following a request, and must have performed the validations that match that request.  There is no requirement that validations were originally performed in the context of a specific request.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170522/c56e5ab0/attachment-0001.p7s>

More information about the Public mailing list