[cabfpub] BR Rekey Rules

Gervase Markham gerv at mozilla.org
Thu Apr 17 14:29:39 UTC 2014

On 17/04/14 15:11, kirk_hall at trendmicro.com wrote:
> Gerv -- I think Wayne is asking for a reissue rule for all certs
> (including 2 year and 3 year certs) that allows reissue to the
> original expiration date without having to re-vet the applicant.  For
> example, a customer might have been vetted on 1/1/2010 (good for 39
> months) and receive a 3 year OV cert on 10/1/2012 that expires
> 9/30/2015. 

I was not aware that it was permissible for CAs to vet on date X, and
then issue a max-length cert (5 years?) for that customer without
revetting on date X + 38 months, i.e a cert that lasts 5 years is based
on info which is already over 3 years old. That seems wrong to me. But
then, I've never set much store by the OV vetting process ;-)

> The customer wants to revoke and reissue with a new cert
> that also expires on 9/30/2015.  The CA wants to do this, but the
> last vetting was more than 39 months ago.

The aim of the 39-month rule was, AIUI, to not have certs created with
really old info in. It seems that it doesn't fully achieve that, if my
scenario above is accurate. However, I'm not sure that means we should
drive a second coach-and-horses through this hole after the first one
has passed.

Still, having understood the situation better: given that Firefox does
not use OV information in its primary UI, we would consider abstaining
on a ballot on this question.


More information about the Public mailing list