<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 1, 2017 at 3:51 PM, Peter Bowen via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On Mar 1, 2017, at 2:14 PM, Chris Bailey via Public <<a href="mailto:public@cabforum.org">public@cabforum.org</a>> wrote:<br>
> Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that (i) the CA obtained the data or document from a source specified under Section 3.2 no more than 825 days thirty‐nine (39) months prior to issuing the Certificate; and (ii) the method used to obtain the document or data was acceptable under Section 3.2 at the time the document or data was obtained.<br>
><br>
> A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if:<br>
> (1) The expiration date of the replacement certificate is the same as the expiration date of the Certificate that is being replaced, and<br>
> (2) The Subject Information of the Certificate is the same as the Subject in the Certificate that is being replaced.<br>
><br>
> If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate.<br>
<br>
</span>Chris,<br>
<br>
This seems a little out of order or I’m not understanding it. Wouldn’t it read better to move the last sentence up to above the “replacement certificate” provision? It would probably also be clearer to use the negative of the sentence:<br>
<br>
"If an Applicant has a currently valid Certificate issued by the CA, a CA MAY NOT rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4 unless the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate."<br>
<br>
That makes it clearer that you are constraining reuse of data to cases where you ensure the domain didn’t change hands.<br>
<br>
I also think it would be good to define what must be the same in the WHOIS record — if the postal address, email address, or phone numbers change, is it still the same registrant?<br></blockquote><div><br></div><div>If that was the intent, I agree, it should be clearly stated. As worded, it presents the opportunity to indefinitely reissue certificates in a way that creates a conflict with the proviso in Section 4.2.1 regarding the use of documents and data previously provided.</div><div><br></div><div>While it's encouraging to see the introduction of WHOIS revalidation, this remains problematic and not trivially identified:</div><div> - For TLDs which do not provide a WHOIS service, what happens?</div><div> - Given that WHOIS represents a human readable entry, it introduces ambiguity into the determination of 'same registrant', as you note.</div><div> - It introduces security risks with respect to the use of privacy preserving registrations, in that two independent Applicants may utilize the same subscriber, and thus be materially presented as the same Technical/Administrative/Billing contacts</div><div><br></div><div>While these are interesting problems to explore, it highlights the challenges that arise when introducing multiple items into a single Ballot, and reiterates the need to make the smallest change possible. As Ballot 188 demonstrates, even well-intentioned, well-regarded changes can introduce nuanced bugs that can seriously undermine the security and stability of the ecosystem.</div></div></div></div>