[cabfpub] BR Rekey Rules

Ben Wilson ben at digicert.com
Mon Apr 21 20:05:17 UTC 2014

Good point, Geoff.  Thanks.  Is there any objection to having this inserted
into the minutes as a bracketed, post-hoc clarification/comment? 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Geoff Keating
Sent: Monday, April 21, 2014 1:58 PM
To: Ben Wilson
Subject: Re: [cabfpub] BR Rekey Rules

On 21 Apr 2014, at 11:30 am, Ben Wilson <ben at digicert.com> wrote:

> section 11.13.4 of the
> Extended Validation Guidelines provides reissuance under an exception 
> if the replacement certificate has the same name and expiration date 
> of the currently valid EV Certificate being replaced.

To avoid confusion, this is what was said in the discussion, but I don't
believe it's a completely accurate statement of what the EV guidelines say.
What they say is that "A CA may rely on previously verified information to
issue a replacement certificate" which is not necessarily the same as "you
may reissue"---the previously verified information may not be enough.

I guess it's worth pointing out that an EV certificate has a maximum
lifespan of 27 months, and the previous sections allow use of information up
to 13 months old, so all that section does is extend from 13 to 40 months
maximum, and that's for reissuing a cert with 1 day validity.  By comparison
the BRs allow 39 month old information to be used to issue a certificate
that might have up to a 60 month lifespan, for a total of over 8 years
before anything is rechecked (disregarding the Mozilla policy).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140421/8319b177/attachment-0001.p7s>

More information about the Public mailing list