[cabfpub] BR Rekey Rules

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Apr 17 13:37:49 UTC 2014

Sorry for the slow response.  Yes, Trend Micro would support adding the language of EVGL 11.13.4 concerning reissue to the BRs for all certificates (allowing reissuance based on older authentication data so long as you retain the original expiration date).  As you say, this is a good response to the Heartbleed issue.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Friday, April 11, 2014 8:18 PM
Subject: [cabfpub] BR Rekey Rules

Last year the issue of applying all the BR rules to a reissued certificate was debated here, and my understanding of the outcome is that CAs are required to do this. In light of heartbleed, this rule creates some interesting impediments to key rollover:
- BR section 11.3 states that the age of data used to validate a certificate must be less than 39 months. There are a number of cases such as renewals in which a certificate may have been originally issued with data that met this age requirement but has since expired.
- pre-BR legacy certificates can't be rekeyed without meeting all BR requirements

These issues are slowing down efforts to address heartbleed, at least here at GoDaddy.

Note that the EV Guidelines provide a definition of reissuance and an exception (11.13.4) that is missing from the BRs:

A CA may rely on previously verified information to issue a replacement certificate where:
(1) The expiration date of the replacement certificate is the same as the expiration date of the currently valid EV
Certificate that is being replaced, and
(2) The Subject of the Certificate is the same as the Subject in the currently valid EV Certificate that is being replaced

Is there any support from other CAs and browsers to reconsider this BR rule in light of the current situation, or to at least make an exception for a major security event? If so, I'd argue that we need to figure out how to move on this much more quickly than the normal ballot process.



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140417/7a3206c6/attachment-0003.html>

More information about the Public mailing list