[cabfpub] BR Enterprise RAs
Rob Stradling
rob.stradling at comodo.com
Thu Jan 23 03:23:55 MST 2014
On 23/01/14 01:54, Ryan Sleevi wrote:
> On Wed, Jan 22, 2014 at 12:47 PM, Rob Stradling wrote:
<snip>
> Ryan,
>
> If 11.3 doesn't apply to 11.1.1 _at all_, then a CA could rely on a
> Domain Authorization Document _forever_, as long as it was "(ii)
> used by the CA to verify a previously issued certificate and that
> the Domain Name's WHOIS record has not been modified since the
> previous certificate's issuance."
>
> Surely the intent was that 11.3 should cap the length of time that a
> CA may rely on a Domain Authorization Document to a maximum of 39
> months?
>
> Why? If WHOIS hasn't changed, there's no (public) indicator that the
> authorization is no longer valid.
>
> As long as, for every certificate being issued, the CA is checking the
> WHOIS to ensure no changes since the Domain Authorization Document was
> received, I'm not sure I'd see the problem.
>
> I'd still expect the certs themselves to be constrained (to the 60 or 39
> month period, depending on BRs or EVGs), but as long as the WHOIS data
> has not changed (which would include Updated Date, Creation Data, and
> Expiration Date), I don't see why there would be an issue relying on the
> document.
OK. On reflection, I think you're correct.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list