<div dir="ltr">Based on <a href="https://tools.ietf.org/html/rfc3647#section-4.4.2">https://tools.ietf.org/html/rfc3647#section-4.4.2</a> , it would seem like Section 4.2.1 might be more appropriate.<div><br></div><div>If I'm understanding correctly, the goal of Section 3.3 is to describe how data is initially validated/processed. I don't think adding a Section 3.5 is consistent with our goals of a 3647 framework.</div><div><br></div><div><br></div><div>For example, perhaps moving it to section 4.2.1, between "Applicant information MUST" and "The CA SHALL develop"</div><div><br></div><div>The CA MUST ensure that that all data and documents validated according to Section 3.2 was provided to the CA no more than thirty-nine (39) months prior to issuing the Certificate.</div><div><br></div><div><br></div><div>I'm not sure whether we want to "provided to the CA" or "obtained by the CA", and if CAs feel there's a distinction worth making.</div><div>This would also, hopefully, encompass the activities of the RA with respect to the final paragraph of Section 4.2.1 - that is, if documents were provided (and validated) by an RA, then they are "fulfilling [any of] the CA's obligation under this section", and thus the 39-month period applies to the RA, not when the RA submitted the validated docs to the CA. I believe that's consistent both with the original 11.3 and with the intent, but I'd be curious if others disagree.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 3, 2015 at 4:35 AM, Doug Beattie <span dir="ltr"><<a href="mailto:doug.beattie@globalsign.com" target="_blank">doug.beattie@globalsign.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div><p class="MsoNormal">I might have mentioned this before but ran across it again today. Prior to RFC 3647 format conversion we had this:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><a name="15167d705ebe60ad__Ref278462566"></a><a name="15167d705ebe60ad__Toc402526117"><b><i>11.3 </i></b></a><b><i><span lang="X-NONE">Age of Certificate Data</span></i></b><a name="15167d705ebe60ad__Toc304535459"></a><a name="15167d705ebe60ad__Toc304548240"></a><a name="15167d705ebe60ad__Toc304562255"></a><b><i><span lang="X-NONE"><u></u><u></u></span></i></b></p><p class="MsoNormal">Section 9.4 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">But now we have this:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><a name="15167d705ebe60ad__Toc418599134"><b><i>3.3 Identification and authentication for re-key requests</i></b></a><b><i><u></u><u></u></i></b></p><p class="MsoNormal"><a name="15167d705ebe60ad__Toc140649463"></a><a name="15167d705ebe60ad__Toc418599135"><b>3.3.1 Identification and Authentication for Routine Re-key</b></a><b><u></u><u></u></b></p><p class="MsoNormal">Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that the CA obtained the data or document from a source specified under Section 3.2 no more than thirty-nine (39) months prior to issuing the Certificate.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">The re-use of certificate data seems to be limited to routine Re-key requests when before it could be used for any purpose. Can we find a new heading section for this so it’s clear we can use it for purposes other than rekey? Maybe a new section, 3.5, for this purpose?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div>