Simplify statements about authentication of cert information #243
Conversation
- Simplify 3.2.2 to more directly reflect the language used in that section of the BRs - Replace sections 3.2.3, 3.2.4, and 3.2.5 with "No applicable", because Let's Encrypt does not need to perform authentication of individual identity or validation of authority, and does not include non-verified subscriber information in certificates
aarongable
added this to the No Meaningful Subject Distinguished Name Remediation milestone
| ISRG only issues Domain Validation (DV) certificates. All FQDNs which will be listed in the Common Name and list of SANs in the certificate are fully validated prior to issuance. | ||
|
|
||
| ISRG uses three methods for validating domain control: | ||
| Prior to issuance of a Subscriber Certificate, ISRG uses at least one of the following methods to validate the Applicant's control of each FQDN listed in the Certificate: |
There was a problem hiding this comment.
I should have caught this before, but as in another PR - strictly speaking, this is saying we perform validation on every FQDN listed in the certificate. That isn't technically true though because of things like OCSP.
The fix for my last comment looks good though.
There was a problem hiding this comment.
Yes, but it's also reflecting the language used by the BRs:
The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate...
There was a problem hiding this comment.
I'm OK with mimicking that if that seems like the best thing to do, but it makes me uncomfortable that the plain English reading of the BRs here seems incorrect.
There was a problem hiding this comment.
I asked around a bit and people seemed to think contextual interpretation is sufficient, but after some further thought I don't think there is a compelling reason for us to ship language that is strictly incorrect in our CP/CPS so I think we should fix it and not mimic the BRs here.
Note that this is the first use of "Not applicable." as full section contents in this document. This feels more appropriate than "No stipulation", as we are affirmatively stating that these sections do not concern our operations, rather than saying simply that we choose not to describe our operations in these sections.