[cabfpub] BR Rekey Rules

Wayne Thayer wthayer at godaddy.com
Sat Apr 12 00:17:59 UTC 2014

Last year the issue of applying all the BR rules to a reissued certificate was debated here, and my understanding of the outcome is that CAs are required to do this. In light of heartbleed, this rule creates some interesting impediments to key rollover:
- BR section 11.3 states that the age of data used to validate a certificate must be less than 39 months. There are a number of cases such as renewals in which a certificate may have been originally issued with data that met this age requirement but has since expired.
- pre-BR legacy certificates can't be rekeyed without meeting all BR requirements

These issues are slowing down efforts to address heartbleed, at least here at GoDaddy.

Note that the EV Guidelines provide a definition of reissuance and an exception (11.13.4) that is missing from the BRs:

A CA may rely on previously verified information to issue a replacement certificate where:
(1) The expiration date of the replacement certificate is the same as the expiration date of the currently valid EV
Certificate that is being replaced, and
(2) The Subject of the Certificate is the same as the Subject in the currently valid EV Certificate that is being replaced

Is there any support from other CAs and browsers to reconsider this BR rule in light of the current situation, or to at least make an exception for a major security event? If so, I'd argue that we need to figure out how to move on this much more quickly than the normal ballot process.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140412/d57e2345/attachment-0002.html>

More information about the Public mailing list