<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">I sent this two hours ago, but apparently only to Doug. This is another potential alternative that would keep the language close to the rest of the validation rules.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We will face the same issue if and when the reuse of data rules in the EVGL are rewritten to a RFC 3647 format.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>From:</b> Kirk Hall (RD-US) <br>
<b>Sent:</b> Thursday, December 03, 2015 2:32 PM<br>
<b>To:</b> 'Doug Beattie'<br>
<b>Subject:</b> RE: Age of Certificate Data<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Doug, I agree with you – but I think we have to find an existing RFC 3647 heading that works (can’t make a new one and still be following the RFC 3647 format). I pasted in below the sections we have from RFC 3647 – sadly, they forgot to
include re-authentication.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Maybe we add a new paragraph at the end of BR 3.2.2 and use the old text. We would support that if someone wants to include in a ballot. Perhaps we add to the upcoming domain validation ballot?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><b>3.2.2. Authentication of Organization and Domain Identity</b>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">[Existing paragraphs] *** <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Section [6.3.2] limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section [3.2] to verify certificate information, provide that the CA obtained the data or
document from a source specified under Section [3.2] no more than thirty-nine (39) months prior to issuing the Certificate.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">RFC 3647<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";color:black">3.2 Initial identity validation<o:p></o:p></span></p>
<pre><span style="color:black"> 3.2.1 Method to prove possession of private key<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.2.2 Authentication of organization identity<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.2.3 Authentication of individual identity<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.2.4 Non-verified subscriber information<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.2.5 Validation of authority<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.2.6 Criteria for interoperation<o:p></o:p></span></pre>
<pre><span style="color:black">3.3 Identification and authentication for re-key requests<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.3.1 Identification and authentication for routine re-key<o:p></o:p></span></pre>
<pre><span style="color:black"> 3.3.2 Identification and authentication for re-key after revocation<o:p></o:p></span></pre>
<pre><span style="color:black">3.4 Identification and authentication for revocation request<o:p></o:p></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>From:</b> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Doug Beattie<br>
<b>Sent:</b> Thursday, December 03, 2015 4:35 AM<br>
<b>To:</b> CABFPub<br>
<b>Subject:</b> [cabfpub] Age of Certificate Data<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I might have mentioned this before but ran across it again today. Prior to RFC 3647 format conversion we had this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a name="_Toc402526117"></a><a name="_Ref278462566"></a><b><i>11.3
</i></b><b><i><span lang="X-NONE">Age of Certificate Data<a name="_Toc304535459"></a><a name="_Toc304548240"></a><a name="_Toc304562255"></a><o:p></o:p></span></i></b></p>
<p class="MsoNormal">Section 9.4 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified
under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But now we have this:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a name="_Toc418599134"><b><i>3.3 Identification and authentication for re-key requests</i></b></a><b><i><o:p></o:p></i></b></p>
<p class="MsoNormal"><a name="_Toc418599135"></a><a name="_Toc140649463"></a><b>3.3.1 Identification and Authentication for Routine Re-key<o:p></o:p></b></p>
<p class="MsoNormal">Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that the CA obtained the data or document from a source specified
under Section 3.2 no more than thirty-nine (39) months prior to issuing the Certificate.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The re-use of certificate data seems to be limited to routine Re-key requests when before it could be used for any purpose. Can we find a new heading section for this so it’s clear we can use it for purposes other than rekey? Maybe a
new section, 3.5, for this purpose?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre><table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table></pre></font></td></tr></table>