From e5f5c72344fc2dd865a26056a5f1f43368e904cb Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Fri, 18 Oct 2024 15:07:28 -0700 Subject: [PATCH 1/3] Simplify statements about authentication of cert information - Simplify 3.2.2 to more directly reflect the language used in that section of the BRs - Replace sections 3.2.3, 3.2.4, and 3.2.5 with "No applicable", because Let's Encrypt does not need to perform authentication of individual identity or validation of authority, and does not include non-verified subscriber information in certificates --- CP-CPS.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/CP-CPS.md b/CP-CPS.md index 0656472..acc213f 100644 --- a/CP-CPS.md +++ b/CP-CPS.md @@ -228,9 +228,7 @@ No stipulation. ### 3.2.2 Authentication of organization identity -ISRG only issues Domain Validation (DV) certificates. All FQDNs which will be listed in the Common Name and list of SANs in the certificate are fully validated prior to issuance. - -ISRG uses three methods for validating domain control: +Prior to issuance of a Subscriber Certificate, ISRG uses the following methods to validate the Applicant's control of each FQDN listed in the Certificate: 1. DNS Change (Baseline Requirements Section 3.2.2.4.7) 2. Agreed-Upon Change to Website - ACME (Baseline Requirements Section 3.2.2.4.19) @@ -242,15 +240,15 @@ All validations are performed in compliance with the current CAB Forum Baseline ### 3.2.3 Authentication of individual identity -ISRG does not issue Subscriber Certificates containing Subject Identity Information, and thus does not validate any natural person's identity. +Not applicable. ### 3.2.4 Non-verified subscriber information -Non-verified Applicant information is not included in ISRG certificates. +Not applicable. ### 3.2.5 Validation of authority -ISRG does not issue Subscriber Certificates containing Subject Identity Information, and thus does not validate any natural person's authority to request certificates on behalf of organizations. +Not applicable. ### 3.2.6 Criteria for interoperation From c784de0e00c840220c117ca5b4c970dab71df416 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Mon, 21 Oct 2024 15:25:14 -0700 Subject: [PATCH 2/3] "at least one of" --- CP-CPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CP-CPS.md b/CP-CPS.md index acc213f..bc17523 100644 --- a/CP-CPS.md +++ b/CP-CPS.md @@ -228,7 +228,7 @@ No stipulation. ### 3.2.2 Authentication of organization identity -Prior to issuance of a Subscriber Certificate, ISRG uses the following methods to validate the Applicant's control of each FQDN listed in the Certificate: +Prior to issuance of a Subscriber Certificate, ISRG uses at least one of the following methods to validate the Applicant's control of each FQDN listed in the Certificate: 1. DNS Change (Baseline Requirements Section 3.2.2.4.7) 2. Agreed-Upon Change to Website - ACME (Baseline Requirements Section 3.2.2.4.19) From 574698ac524cded61073cbe3d200fa71455f94ad Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Tue, 22 Oct 2024 09:08:34 -0700 Subject: [PATCH 3/3] Use "requested" to qualify FQDNs --- CP-CPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CP-CPS.md b/CP-CPS.md index bc17523..8838b83 100644 --- a/CP-CPS.md +++ b/CP-CPS.md @@ -228,7 +228,7 @@ No stipulation. ### 3.2.2 Authentication of organization identity -Prior to issuance of a Subscriber Certificate, ISRG uses at least one of the following methods to validate the Applicant's control of each FQDN listed in the Certificate: +Prior to issuance of a Subscriber Certificate, ISRG uses at least one of the following methods to validate the Applicant's control of each requested FQDN: 1. DNS Change (Baseline Requirements Section 3.2.2.4.7) 2. Agreed-Upon Change to Website - ACME (Baseline Requirements Section 3.2.2.4.19)