[cabfpub] BR Enterprise RAs

Rob Stradling rob.stradling at comodo.com
Thu Jan 23 10:23:55 UTC 2014

On 23/01/14 01:54, Ryan Sleevi wrote:
> On Wed, Jan 22, 2014 at 12:47 PM, Rob Stradling wrote:
>     Ryan,
>     If 11.3 doesn't apply to 11.1.1 _at all_, then a CA could rely on a
>     Domain Authorization Document _forever_, as long as it was "(ii)
>     used by the CA to verify a previously issued certificate and that
>     the Domain Name's WHOIS record has not been modified since the
>     previous certificate's issuance."
>     Surely the intent was that 11.3 should cap the length of time that a
>     CA may rely on a Domain Authorization Document to a maximum of 39
>     months?
> Why? If WHOIS hasn't changed, there's no (public) indicator that the
> authorization is no longer valid.
> As long as, for every certificate being issued, the CA is checking the
> WHOIS to ensure no changes since the Domain Authorization Document was
> received, I'm not sure I'd see the problem.
> I'd still expect the certs themselves to be constrained (to the 60 or 39
> month period, depending on BRs or EVGs), but as long as the WHOIS data
> has not changed (which would include Updated Date, Creation Data, and
> Expiration Date), I don't see why there would be an issue relying on the
> document.

OK.  On reflection, I think you're correct.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list