This question (what is being certified?) will be one of the first topics on the agenda for the Validation WG meeting in Virginia.
On Mon, Feb 5, 2018 at 12:19 AM, Adriano Santoni via Public < [email protected]> wrote: > I agree. Before re-discussing the various 3.2.2.4 methods, we should first > discuss whether the basic principle ("either ownership or control" of a > domain) underlying the issuance of an SSL Server certificate is still > valid. I believe that the Applicant's ownership of a domain is an excellent > reason to grant a certificate containing that domain, and that it is too > drastic to assume that only when the CA is affiliated with the Registrar > such property can be reliably verified. > > Il 04/02/2018 20:19, Peter Bowen via Public ha scritto: > > There has been a lot of discussion of which validation methods are acceptable > and meet the bar for issuance of a certificate but I've not seen anyone > clearly state the requirements for issuance. I think it is important we agree > on what is being certified before we try to fix the validation process any > further. Without doing so, there is no way to reasonably judge the > effectiveness of any method. > > Section 9.6.1 of the BRs is the closest I could find to spelling out exactly > what is being certified. Reading that, it looks like the following is true: > > The issuer named in the certificate, as of the issuance date, certified that: > > 1) the Applicant either had the right to use, or had control of, the Domain > Name(s) and IP address(es) listed in the Certificate’s subject field and > subjectAltName extension or, in the case of Domain Names, was delegated such > right or control by someone who had such right to use or control, and > > 2) the natural person, device, system, unit, or Legal Entity identified in > the Certificate as the Subject authorized the issuance of the Certificate, and > > 3) the Subject is either the Applicant or a device under the control and > operation of the Applicant, and > > 4) that the natural person or human sponsor who was either the Applicant, > employed by the Applicant, or an authorized agent who had express authority > to represent the Applicant was authorized to request the Certificate on > behalf of the Subject, and > > 5) the issuer verified the accuracy of all of the information contained in > the Certificate (with the exception of the subject:organizationalUnitName > attribute), and > > 6) the issuer followed procedures to reduce the likelihood that the > information contained in the Certificate’s subject:organizationalUnitName > attribute is misleading > > > There may be other things certified, but these six things are required for > all certificates, as I read the BRs. Do others agree? Should this list be > longer or shorter? > > Thanks, > Peter > > _______________________________________________ > Public mailing > [email protected]https://cabforum.org/mailman/listinfo/public > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
