On Fri, May 19, 2017 at 6:00 PM, Peter Bowen <[email protected]> wrote: > > Yes, it does. We know that CAs can generate keys on behalf of the > subscriber, so it is clear that a public key is not required. This means > that a CA could take the request for “issue a certificate to example.com”, > do validation and key generation, throw away the private key, issue the > cert, and end up with a “pre-validated” domain. This is compliant. The > generated cert could have some flag in it, similar to a pre-cert, that > makes it unusable for any real world purpose, and it would still be fine. > But this is silly. We don’t want to have hoop jumping for no discernible > value. > > Can you suggest a change that you feel would make it clear that CAs may > validate identities (organizations, domains, etc) independent of issuing > certificates and use the documents and data gathered during such validation > for future issuance, subject to the aging requirement of 4.2.1? I would > suggest a change myself, but I’m not quite clear which part of the BRs you > feel prevents this today. >
The BRs are gated on the concept of an Applicant - all of the validation is done in concert and connection with an Applicant. I'm not sure how it makes sense for CAs to have, say, a prevalidated set of organizations, any of which can apply and thus reuse the information. Put differently: Do you think it would be BR conformant if a CA looked through CT, determined which organizations had OV/EV certs, worked through QIIS/QGIS's to 'prevalidate' the organizational information related to it, and then approached all customers with the remark "We can give you a certificate in 30 seconds?" It may be that the answer is yes - that the extent of the CAs obligations (to validate the documents and domain, in absentia of an Applicant) are met. It may be that the answer is no - that a CA cannot begin doing some form of validation until contacted by an Applicant. But I think understanding the specific answer to this scenario can help inform whether or not an "Applicant" is required to make a certificate request before being, well, an "Applicant". If they are required to make a request, then naturally, it follows that your so-called hoop-jumping is necessary, since there is a minimum definition of what constitutes a certificate request. If they are not required to make a request, then naturally, the scenario I described is the logical extreme, in which the CA can validate 'everything but the application'. To further add to the extreme, it might be possible for the CA to pre-generate the public key, and just call up the subscriber and say "Do you want a cert" - with that assent being sufficient to constitute an "Application"
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
