[cabfpub] Age of Certificate Data

Ryan Sleevi sleevi at google.com
Thu Dec 3 13:30:43 MST 2015 

Based on https://tools.ietf.org/html/rfc3647#section-4.4.2 , it would seem
like Section 4.2.1 might be more appropriate.

If I'm understanding correctly, the goal of Section 3.3 is to describe how
data is initially validated/processed. I don't think adding a Section 3.5
is consistent with our goals of a 3647 framework.


For example, perhaps moving it to section 4.2.1, between "Applicant
information MUST" and "The CA SHALL develop"

The CA MUST ensure that that all data and documents validated according to
Section 3.2 was provided to the CA no more than thirty-nine (39) months
prior to issuing the Certificate.


I'm not sure whether we want to "provided to the CA" or "obtained by the
CA", and if CAs feel there's a distinction worth making.
This would also, hopefully, encompass the activities of the RA with respect
to the final paragraph of Section 4.2.1 - that is, if documents were
provided (and validated) by an RA, then they are "fulfilling [any of] the
CA's obligation under this section", and thus the 39-month period applies
to the RA, not when the RA submitted the validated docs to the CA. I
believe that's consistent both with the original 11.3 and with the intent,
but I'd be curious if others disagree.


On Thu, Dec 3, 2015 at 4:35 AM, Doug Beattie <doug.beattie at globalsign.com>
wrote:

> I might have mentioned this before but ran across it again today.  Prior
> to RFC 3647 format conversion we had this:
>
>
>
> *11.3  **Age of Certificate Data*
>
> Section 9.4 limits the validity period of Subscriber Certificates.   The
> CA MAY use the documents and data provided in Section 11 to verify
> certificate information, provide that the CA obtained the data or document
> from a source specified under Section 11 no more than thirty-nine (39)
> months prior to issuing the Certificate.
>
>
>
> But now we have this:
>
>
>
> *3.3  Identification and authentication for re-key requests*
>
> *3.3.1 Identification and Authentication for Routine Re-key*
>
> Section 6.3.2 limits the validity period of Subscriber Certificates.   The
> CA MAY use the documents and data provided in Section 3.2 to verify
> certificate information, provided that the CA obtained the data or document
> from a source specified under Section 3.2 no more than thirty-nine (39)
> months prior to issuing the Certificate.
>
>
>
> The re-use of certificate data seems to be limited to routine Re-key
> requests when before it could be used for any purpose.  Can we find a new
> heading section for this so it’s clear we can use it for purposes other
> than rekey?  Maybe a new section, 3.5, for this purpose?
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151203/a51f3175/attachment.html

More information about the Public mailing list