-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify statements about authentication of cert information #243
base: main
Are you sure you want to change the base?
Conversation
- Simplify 3.2.2 to more directly reflect the language used in that section of the BRs - Replace sections 3.2.3, 3.2.4, and 3.2.5 with "No applicable", because Let's Encrypt does not need to perform authentication of individual identity or validation of authority, and does not include non-verified subscriber information in certificates
ISRG only issues Domain Validation (DV) certificates. All FQDNs which will be listed in the Common Name and list of SANs in the certificate are fully validated prior to issuance. | ||
|
||
ISRG uses three methods for validating domain control: | ||
Prior to issuance of a Subscriber Certificate, ISRG uses at least one of the following methods to validate the Applicant's control of each FQDN listed in the Certificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should have caught this before, but as in another PR - strictly speaking, this is saying we perform validation on every FQDN listed in the certificate. That isn't technically true though because of things like OCSP.
The fix for my last comment looks good though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but it's also reflecting the language used by the BRs:
The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm OK with mimicking that if that seems like the best thing to do, but it makes me uncomfortable that the plain English reading of the BRs here seems incorrect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I asked around a bit and people seemed to think contextual interpretation is sufficient, but after some further thought I don't think there is a compelling reason for us to ship language that is strictly incorrect in our CP/CPS so I think we should fix it and not mimic the BRs here.
Note that this is the first use of "Not applicable." as full section contents in this document. This feels more appropriate than "No stipulation", as we are affirmatively stating that these sections do not concern our operations, rather than saying simply that we choose not to describe our operations in these sections.