<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Last year the issue of applying all the BR rules to a reissued certificate was debated here, and my understanding of the outcome is that CAs are required to do this. In light of heartbleed, this rule creates some interesting impediments
to key rollover:<o:p></o:p></p>
<p class="MsoNormal">- BR section 11.3 states that the age of data used to validate a certificate must be less than 39 months. There are a number of cases such as renewals in which a certificate may have been originally issued with data that met this age requirement
but has since expired.<o:p></o:p></p>
<p class="MsoNormal">- pre-BR legacy certificates can’t be rekeyed without meeting all BR requirements<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These issues are slowing down efforts to address heartbleed, at least here at GoDaddy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Note that the EV Guidelines provide a definition of reissuance and an exception (11.13.4) that is missing from the BRs:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">A CA may rely on previously verified information to issue a replacement certificate where:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">(1) The expiration date of the replacement certificate is the same as the expiration date of the currently valid EV<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">Certificate that is being replaced, and<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">(2) The Subject of the Certificate is the same as the Subject in the currently valid EV Certificate that is being replaced<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal">Is there any support from other CAs and browsers to reconsider this BR rule in light of the current situation, or to at least make an exception for a major security event? If so, I’d argue that we need to figure out how to move on this
much more quickly than the normal ballot process.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Wayne<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>