On 20/04/17 18:57, Ryan Sleevi wrote: > Based on our description, I believe your intent is also to cover Section > 3.2.2.6, correct?
I guess so, although without permission to do 3.2.2.4 or 3.2.2.5, it seems odd that anyone would outsource this bit. > The concern raised in Raleigh that this introduces is that it > effectively forbids Enterprise RAs from managing the validation of > domains beneath the Domain Namespace that the CA has verified. This is > because Enterprise RAs are Delegated Third Parties. > > Is your intent to restrict such Enterprise RAs to only performing > Subject Name validation? No. > That is, if 3.2.2.4 were worded to somehow suggest that: > "The CA SHALL confirm that, as of the date the Certificate issues, the > CA has validated each FullyâQualified Domain Name (FQDN) listed in the > Certificate using at least one of the methods listed below, or is within > the Domain Namespace of a Fully-Qualified Domain Name (FQDN) that has > been validated using at least one of the methods listed below. " Are we happy that, for all 10 methods, proof of control of foo.example.com makes it fine to issue wibble.fish.foo.example.com? Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
