<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 14, 2017 at 4:30 PM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_-6131725752303443664WordSection1"><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif">Thanks a ton Ryan for putting this together. This is great info.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:calibri,sans-serif"><u></u> <u></u></span></p><p class="MsoNormal"><a name="m_-6131725752303443664__MailEndCompose"><span style="font-size:11pt;font-family:calibri,sans-serif">I agree the BRs are missing a re-use of information section, which is odd because the section exists in the EV Guidelines (11.14.1 and 11.14.2).</span></a></p></div></div></blockquote><div><br></div><div>That's nominally covered in Section 3.2.2.4 as part of the introduction, but it doesn't allow for "previous" versions to be used.</div><div><br></div><div>Specifically,</div><div><br></div><div>"Completed<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>confirmations<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>of<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>Applicant<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>authority<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>may<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>be<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>valid<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>for<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>the<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>issuance<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>of<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>multiple<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>certificates<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>over<span class="gmail-Apple-tab-span" style="white-space:pre">  </span></div><div>time.<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>In<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>all<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>cases,<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>the<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>confirmation<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>must<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>have<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>been<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>initiated<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>within<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>the<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>time<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>period<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>specified<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>in<span style="white-space:pre"> </span>the<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>relevant<span class="gmail-Apple-tab-span" style="white-space:pre">      </span></div><div>requirement<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>(such<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>as<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>Section<span class="gmail-Apple-tab-span" style="white-space:pre">       </span>3.3.1<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>of<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>this<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>document)<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>prior<span class="gmail-Apple-tab-span" style="white-space:pre"> </span>to<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>certificate<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>issuance.<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>For<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>purposes<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>of<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>domain<span class="gmail-Apple-tab-span" style="white-space:pre">        </span></div><div>validation,<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>the<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>term<span class="gmail-Apple-tab-span" style="white-space:pre">  </span>Applicant<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>includes<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>the<span class="gmail-Apple-tab-span" style="white-space:pre">   </span>Applicant's<span class="gmail-Apple-tab-span" style="white-space:pre">       </span>Parent<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Company,<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Subsidiary<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>Company,<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>or<span class="gmail-Apple-tab-span" style="white-space:pre">    </span>Affiliate.<span class="gmail-Apple-tab-span" style="white-space:pre">    "</span></div><div><span style="font-family:calibri,sans-serif;font-size:11pt"> </span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_-6131725752303443664WordSection1"><p class="MsoNormal"><span><span style="font-size:11pt;font-family:calibri,sans-serif">I was planning on circulating the following proposal to sync the two requirement docs once the number of pending ballots declined:<u></u><u></u></span></span></p><p class="MsoNormal"><span><span style="font-size:11pt;font-family:calibri,sans-serif"><u></u> <u></u></span></span></p><p class="MsoNormal"><span>Add the following to 3.3.1 (taken from 11.14.2 of the EV Guidelines):<u></u><u></u></span></p><p class="MsoNormal"><span>A CA may rely on a previously submitted certificate request to issue a new certificate if: <u></u><u></u></span></p><p class="MsoNormal"><span>(1) The expiration date of the replacement certificate is the same as the expiration date of the Certificate being replaced, and <u></u><u></u></span></p><p class="MsoNormal"><span>(2) The Subject Information of the Certificate is the same as the Subject in the Certificate that is being replaced.<u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>Add the following to 4.2.1 (sort of taken from 11.14.1) after the third paragraph: <u></u><u></u></span></p><p class="MsoNormal"><span>If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on the prior authentication and verification of:  <u></u><u></u></span></p><p class="MsoNormal"><span>(1) The Applicant's identity under Section 3.2.2.1; <u></u><u></u></span></p><p class="MsoNormal"><span>(2) The Applicant’s DBA under Section 3.2.2.2;<u></u><u></u></span></p><p class="MsoNormal"><span>(3) The countryName under Section 3.2.2.3;<u></u><u></u></span></p><p class="MsoNormal"><span>(4) The Applicant’s individual identity under Section 3.2.3; and<u></u><u></u></span></p><p class="MsoNormal"><span>(5) The Applicant’s authorization to issue the Certificate under Section 3.2.5, provided that the CA receives or confirms the request for a Certificate using a Reliable Method of Communication.<u></u><u></u></span></p><p class="MsoNormal"><span><span style="font-size:11pt;font-family:calibri,sans-serif"><u></u> <u></u></span></span></p><p class="MsoNormal"><span><span style="font-size:11pt;font-family:calibri,sans-serif">Thoughts?</span></span></p></div></div></blockquote><div><br></div><div>I suppose it comes as no surprise that I'm in favor of more verifications, not less, and always to the current Guidelines :)</div><div><br></div><div>There are some real issues with that language in the EVGs, and I'd love to see that stricken.</div><div><br></div><div>For example, given a certificate issued for 39 months, and a request comes in at 38 months, how long can the certificate be valid? I think your intent would be to say "1 month", but I don't think the proposed change would accomplish that. Instead, I fear it would/could allow for 39 months (and then 77 months since the original validation, another 39 month cert be issued)</div></div></div></div>