<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Title content=""><meta name=Keywords content=""><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.m4732268355913672907msolistparagraph, li.m4732268355913672907msolistparagraph, div.m4732268355913672907msolistparagraph
{mso-style-name:m_4732268355913672907msolistparagraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Tahoma;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>Yes, that is the path I'm heading down.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>I also noticed that in section 3.2.2.4 (Validation of Domain Authorization or Control), it mentions…<o:p></o:p></span></p><p class=MsoNormal><i><span style='font-size:10.0pt;font-family:Tahoma'>"The CA SHALL confirm that, *<u>as of the date the Certificate issues</u>*, either the CA or a Delegated Third Party has validated each Fully</span></i><i><span style='font-size:10.0pt;font-family:Calibri'>‐</span></i><i><span style='font-size:10.0pt;font-family:Tahoma'>Qualified Domain Name (FQDN) listed in the Certificate…"</span></i><span style='font-size:10.0pt;font-family:Tahoma'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>…which seems to imply that every cert issuance needs to recheck domain authorization/control. But, it then goes on to say…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></p><p class=MsoNormal><i><u><span style='font-size:10.0pt;font-family:Tahoma'>"Completed confirmations</span></u></i><i><span style='font-size:10.0pt;font-family:Tahoma'> of Applicant authority <u>may be valid for the issuance of multiple certificates</u> over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance."<o:p></o:p></span></i></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>…which seems to imply that domain authorization/control can be cached along with the rest of the I&A data and reused for subsequent issuance. (I'll leave aside the fact that Section 3.3.1 is completely blank, yet is being referenced here)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>Am I correct to assume that the tasks performed to demonstrate domain authorization/control are considered part of the same set of cacheable subscriber identity information and can thus be reused without revalidation as long as it's within the cache window? (I'm pretty sure the answer is yes, but it's conveyed in a bit of a confusing way, in my opinion)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'>-Alex<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:Tahoma'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-family:Calibri;color:black'>From: </span></b><span style='font-family:Calibri;color:black'>Ryan Sleevi <sleevi@google.com><br><b>Date: </b>Friday, April 21, 2017 at 10:26 AM<br><b>To: </b>CA/Browser Forum Public Discussion List <public@cabforum.org><br><b>Cc: </b>Alex Wight <awight@cisco.com><br><b>Subject: </b>Re: [cabfpub] Question around I&A information caching<o:p></o:p></span></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Fri, Apr 21, 2017 at 12:14 PM, Alex Wight (awight) via Public <<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:Tahoma'>Hi all,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:Tahoma'> Please forgive me if this question is a bit naïve and perhaps something I should know already; Am I correct in assuming the following scenario is valid under the current BRs?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:Tahoma'> </span><o:p></o:p></p><p class=m4732268355913672907msolistparagraph style='margin-left:.25in'><span style='font-size:10.0pt;font-family:Tahoma'>1.</span><span style='font-size:7.0pt'> </span><span style='font-size:10.0pt;font-family:Tahoma'>Day 1 - CA gathers Identification and Authentication (I&A) information for a particular subscriber</span><o:p></o:p></p><p class=m4732268355913672907msolistparagraph style='margin-left:.25in'><span style='font-size:10.0pt;font-family:Tahoma'>2.</span><span style='font-size:7.0pt'> </span><span style='font-size:10.0pt;font-family:Tahoma'>Day 1 - CA issues a certificate valid for 825 days</span><o:p></o:p></p><p class=m4732268355913672907msolistparagraph style='margin-left:.25in'><span style='font-size:10.0pt;font-family:Tahoma'>3.</span><span style='font-size:7.0pt'> </span><span style='font-size:10.0pt;font-family:Tahoma'>824 days later - CA issues a new certificate valid for 825 days using the I&A data cached from day 1</span><o:p></o:p></p><p class=m4732268355913672907msolistparagraph style='margin-left:.25in'><span style='font-size:10.0pt;font-family:Tahoma'>4.</span><span style='font-size:7.0pt'> </span><span style='font-size:10.0pt;font-family:Tahoma'>…rinse, repeat.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:Tahoma'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:Tahoma'> In short, we can certify ownership of a domain for 1649 days (over 4 and a half years) based on a single I&A verification event performed on Day 1, correct?</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Now you understand our concerns regarding that reuse, and our desire to see Ballot 190 (and Ballot 186) address these concerns more meaningfully to the information they're attesting to, based on the risk and frequency of change.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Under the current BRs (1.4.2), Section 4.2.1 permits it for thirty-nine months. If we take the most absolutely liberal interpretation (which is difficult to justify, but easy to compute), of 39 months meaning 31-day months, for a total of 1209 days, then it means a CA only needs to validate an Applicant controls a domain once every 2,417 days.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Assuming 1.4.4 successfully is adopted, that will reduce to one DNS validation performed every 1,649 days.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We should aim to see that number, for domain validations, reduced to (max lifetime of cert), at worst.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Note that in theory, the Subscriber is contractually obligated to inform the CA when they lose the right to use the domain name. In doing so, this absolves the CA of the responsibility to ensure the information they've certified is correct, because it is the Subscriber that has failed to follow the TOU, not the CA's fault. This comes from Sections 9.6.1(1), 9.6.3(1), and 9.6.3(5).<o:p></o:p></p></div></div></div></div></div></body></html>