<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Sorry for the slow response. Yes, Trend Micro would support adding the language of EVGL 11.13.4 concerning reissue to the BRs for all certificates (allowing reissuance based on older authentication data so long as you retain the original
expiration date). As you say, this is a good response to the Heartbleed issue.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Wayne Thayer<br>
<b>Sent:</b> Friday, April 11, 2014 8:18 PM<br>
<b>To:</b> CABFPub<br>
<b>Subject:</b> [cabfpub] BR Rekey Rules<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Last year the issue of applying all the BR rules to a reissued certificate was debated here, and my understanding of the outcome is that CAs are required to do this. In light of heartbleed, this rule creates some interesting impediments
to key rollover:<o:p></o:p></p>
<p class="MsoNormal">- BR section 11.3 states that the age of data used to validate a certificate must be less than 39 months. There are a number of cases such as renewals in which a certificate may have been originally issued with data that met this age requirement
but has since expired.<o:p></o:p></p>
<p class="MsoNormal">- pre-BR legacy certificates can’t be rekeyed without meeting all BR requirements<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">These issues are slowing down efforts to address heartbleed, at least here at GoDaddy.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Note that the EV Guidelines provide a definition of reissuance and an exception (11.13.4) that is missing from the BRs:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">A CA may rely on previously verified information to issue a replacement certificate where:<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">(1) The expiration date of the replacement certificate is the same as the expiration date of the currently valid EV<o:p></o:p></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">Certificate that is being replaced, and<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Times New Roman","serif"">(2) The Subject of the Certificate is the same as the Subject in the currently valid EV Certificate that is being replaced<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Times New Roman","serif""><o:p> </o:p></span></p>
<p class="MsoNormal">Is there any support from other CAs and browsers to reconsider this BR rule in light of the current situation, or to at least make an exception for a major security event? If so, I’d argue that we need to figure out how to move on this
much more quickly than the normal ballot process.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Wayne<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>