[cabf_validation] Subject/Subscriber Relationship in BRs

[Peter Bowen]

As discussed on the call there are several parts of the BRs that either say or strongly imply that the Subject and Subscriber must be the same entity.  If we want to allow them to be different unrelated entities, then several items will need to be changed.

“The Subject is either the Subscriber or a device under the control and operation of the Subscriber.” (BR §1.6.1 “Subject”)
This seems very clear.

“Applicant: The natural person or Legal Entity that applies for (or seeks renewal of) a Certificate. Once the Certificate issues, the Applicant is referred to as the Subscriber” (BR §1.6.1 “Applicant”)
This makes it clear that the terms Applicant and Subscriber refer to the same entity.

“If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s (Subscriber’s) address of existence or operation.” (BR §3.2.2.1)
The Applicant/Subscriber and Subject have to share a postal address.

“If the Subject Identity Information is to include a DBA or tradename, the CA SHALL verify the Applicant’s (Subscriber’s) right to use the DBA/tradename” (BR §3.2.2.2)
“the CA implemented a procedure for verifying that the Subject authorized the issuance of the Certificate and that the Applicant (Subscriber) Representative is authorized to request the Certificate on behalf of the Subject” (BR §9.6.1 #2)
I think this is neutral  — Company A could authorize Company B to use their name to get a certificate