Hello,
The Baseline Requirements 4.1.2 says:
“Prior to the issuance of a Certificate, the CA SHALL obtain the following documentation from the Applicant:
As I understand, an executed Subscriber Agreement or Terms of Use or contract is a legal document that has been signed off by the people necessary for it to become effective, which means a signature from the Subscriber must be presented on the Agreement, be it an electronic signature or a handwritten one.
That being said, I recently obtained a Domain Validated certificate from Let’s Encrypt through Cloudflare, and no subscriber agreement popped out and there was no way to sign such agreement electronically during the certificate issuance process.
I'd like to ask if this conforms to section 4.1.2 of the Baseline Requirements, as well as section 5.5.2 which requires a minimum seven-year retention period of the documents in relation to the certificate issuance, and I assume an “executed subscriber agreement” is part of such documents.
Apologies in advance if I misinterpreted these requirements or missed any previous discussions.
Thank you.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SL2PR03MB4427A1D05FF38A4DA5705096D4349%40SL2PR03MB4427.apcprd03.prod.outlook.com.
That being said, I recently obtained a Domain Validated certificate from Let’s Encrypt through Cloudflare, and no subscriber agreement popped out and there was no way to sign such agreement electronically during the certificate issuance process.
The CA SHALL implement a process to ensure that each Subscriber Agreement or Terms of Use is legally enforceable against the Applicant. In either case, the Agreement MUST apply to the Certificate to be issued pursuant to the certificate request. The CA MAY use an electronic or “click‐through” Agreement provided that the CA has determined that such agreements are legally enforceable.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAN3x4QkDPGxpSecKXoG7OVW9P3JQCz_%2B%2BjAR9f%2B9E-saZ8GETw%40mail.gmail.com.
Hello All,
Thanks for the explanation.
I was feeling confusing because, by the definitions of the Baseline Requirements, a certificate Applicant becomes a Subscriber once the Certificate is issued, if Cloudflare is the Subscriber in this case, then it will also be the corresponding Applicant, I thought as a legal person who owns a domain, I was the Applicant, and Cloudflare served as the Registration Authority who validated the domain ownership and then submitted the validated information for the CA to issue a certificate.
Thank you.
Sounds quite close to this definition:Thanks,
(38)
‘certificate for website authentication’ means an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued;
M.D.Sent from my Galaxy
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFbGhx1y26kRnqP1osOnka-Tei8HwiVqvdOnVoqvVdngw%40mail.gmail.com.
‘certificate for website authentication’ means an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued;
Whereas "‘authentication’ means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed;".
Unfortunately eIDAS has no definition for website and that, taking into account GDPR, is a huge problem (millions of non compliant QESCs in circulation today).
But after reading the document you shared (thank you for that, Ryan!), I understand I was overly optimistic thinking that the Commission and browsers have reached some sort of consensus*.
Whoever led eIDAS negotiators, the executive summary shows the team has gone too far and wrong direction. But that's another story. :)
Thanks,
M.D.