[cabfpub] How a Certificate Is Issued - the Baseline Requirements Version

Ryan Sleevi sleevi at google.com
Fri Apr 14 22:28:44 UTC 2017 

On Fri, Apr 14, 2017 at 5:29 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> You're already permitted to reuse the data and documents, in the example I
> covered. Can you indicate what part of that process you're attempting to
> mitigate?
>
>
>
> {JR} Your example was only 3.2.2.4. 3.2.2.4 only applies to domain
> validation, not organizational validation. The process I’m attempting to
> mitigate is reuse of organizational validation information.
>

I think we're talking past eachother. You're trying to reuse the exact
validation. I'm suggesting you can reuse the documents and data in a way
that it makes no meaningful difference, but trying to understand if you
disagree.

>From my original message:

   1. The CA must verify every request independent of any past actions
   (Section 4.2.1, "The CA SHALL establish and follow a documented procedure
   for verifying all data requested for inclusion in the Certificate by the
   Applicant.", "The CA MAY use the documents and data provided in Section 3.2
   to verify certificate information" - note, active tense)
   2. The CA may use previously obtained information consistent with that
   validation, provided that it reverifies that data
      1. For example, if a certificate request includes the name or address
      of an organization (Section 3.2.2.1), then the CA may verify that request
      by using data previously obtained from one of the data sources enumerated
      therein. The CA MUST verify that the information in the request is
      consistent with that dataset. For a programmatic verification,
this may be
      as 'simple' as checking an equality check with the existing documents.



> {JR} In that case we could simply drop 3.3.1 (as you pointed out that
> particular issue is already addressed in 3.2.2.4):
>
> Add the following to 4.2.1 (sort of taken from 11.14.1 of EV) after the
> third paragraph:
>
> If an Applicant has a currently valid Certificate issued by the CA, a CA
> MAY rely on the prior authentication and verification:
>
> (1) The Applicant's identity as verified under Section 3.2.2.1;
>
> (2) The Applicant’s DBA as verified under Section 3.2.2.2;
>
> (3) The countryName as verified under Section 3.2.2.3;
>
> (4) The Applicant’s individual identity as verified under Section 3.2.3;
> and
>
> (5) The Applicant’s authorization to issue the Certificate as verified
> under Section 3.2.5, provided that the CA receives or confirms the request
> for a Certificate using a Reliable Method of Communication.
>

The problem there, with this wording, is that it doesn't include the time
limit. I think you're thinking the clause with "the CA MAY use documents
and data" applies, but it doesn't. That is, this is even worse in creating
the (clearly unintentional, on your part) loophole.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170414/bf71937d/attachment-0003.html>

More information about the Public mailing list