I feel like we’re going around in circles here. The question you’re asking is wrong. It is not a valid question. It is a question that relies on false premises.
At the time that the baseline requirements apply, that is the moment of certificate issuance, it is not possible that you can be considering the correctness of a validation without having an Applicant and a request. If there isn’t an Applicant, or there isn’t a request, the certificate is already misissued and so it does not matter what validations were done. The baseline requirements describe the validations that must have been done. They do this in the context of the Applicant and request that applied to this specific certificate issuance. These validations must have been done (that is, they must be in the past) at the time of issuance. Before, when the validations were actually done, it might not have been possible to know which certificate(s) they were being done for, but that is irrelevant to the BRs. This is made exceptionally clear in section 3.2.2.4, > The CA SHALL confirm that, as of the date the Certificate issues, either the > CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name > (FQDN) listed in the Certificate using at least one of the methods listed > below. Reading this carefully, you see that the CA’s responsibility for validation occurs at "the date the Certificate issues”. Then in section 4.1.2, you have also the very clear sentence > Prior to the issuance of a Certificate, the CA SHALL obtain from the > Applicant a certificate request in a form prescribed by the CA and that > complies with these Requirements This occurs “Prior to the issuance” and therefore before “the date the Certificate issues”. So at the time the CA is responsible for confirming that validations have been performed, the CA already has “obtain[ed] from the Applicant a certificate request”. You ask ‘how do you do the validations without an Applicant’. The question is, as I said, incorrect, in that at the relevant time it is clear who the Applicant is, but here’s an example which answers what I think is the better question, which is how you do the validations first and obtain the request later: 1. A new user creates an account in a CA’s system, identified by username and password 2. The new user indicates they would like to validate example.com as controlled by them 3. The CA’s system looks up example.com in whois and sends an e-mail to the administrative contact, [email protected] 4. The user, who is logged in, confirms they received the e-mail by supplying the random token 5. The user, who is logged in, now asks for a DV certificate for site.example.com 6. The user, who is logged in, accepts the subscriber agreement for this and all future certificates 7. The user, who is logged in, supplies a CSR for the request 8. The certificate issues, based on the user being the Applicant, step 5 being the request (and step 7 being ‘additional information’), and step 4 being the domain validation. Now, do you think this certificate is mis-issued under the BRs? Does it matter if after this process, it continues: 9. A few minutes later, the user, who is still logged in, now asks for another DV certificate for site2.example.com 10. The user, who is logged in, supplies a CSR for the request 11. The certificate issues, based on the user being the Applicant, step 9 being the request (and step 10 being ‘additional information’), and step 4 being the domain validation. Is this mis-issued? > On 22 May 2017, at 8:18 am, Ryan Sleevi <[email protected]> wrote: > > How do you do _any_ of the validations without an Applicant, and how do you > have an Applicant without a request - that was the core question. > > On Mon, May 22, 2017 at 4:46 AM, Geoff Keating <[email protected]> wrote: > All the BRs say is that a request has to happen before a certificate is > issued. They don’t say a request has to happen before any validations occur. > > A CA issues a certificate following a request, and must have performed the > validations that match that request. There is no requirement that > validations were originally performed in the context of a specific request. >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
