[cabfpub] BR Rekey Rules

Geoff Keating geoffk at apple.com
Mon Apr 21 19:58:23 UTC 2014


On 21 Apr 2014, at 11:30 am, Ben Wilson <ben at digicert.com> wrote:

> section 11.13.4 of the
> Extended Validation Guidelines provides reissuance under an exception if the
> replacement certificate has the same name and expiration date of the
> currently valid EV Certificate being replaced.

To avoid confusion, this is what was said in the discussion, but I don't believe it's a completely accurate statement of what the EV guidelines say.  What they say is that "A CA may rely on previously verified information to issue a replacement certificate" which is not necessarily the same as "you may reissue"---the previously verified information may not be enough.

I guess it's worth pointing out that an EV certificate has a maximum lifespan of 27 months, and the previous sections allow use of information up to 13 months old, so all that section does is extend from 13 to 40 months maximum, and that's for reissuing a cert with 1 day validity.  By comparison the BRs allow 39 month old information to be used to issue a certificate that might have up to a 60 month lifespan, for a total of over 8 years before anything is rechecked (disregarding the Mozilla policy).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4103 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140421/5e779ab3/attachment-0001.p7s>


More information about the Public mailing list