[cabfpub] [cabfquest] Question about reissuance regulations

Richard Wang richard at wosign.com
Mon Jan 5 17:47:54 MST 2015 

We do the domain control validation at each reissuance.

Regards,

Richard

> On Jan 6, 2015, at 06:38, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> More precisely:
>  
> Section 11.3: The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate.
>  
> Mozilla (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/): verify that all of the information that is included in SSL certificates remains current and correct at time intervals of thirty-nine months or less;
>  
> Jeremy
>  
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
> Sent: Monday, January 5, 2015 3:28 PM
> To: Eddy Nigg
> Cc: CABFPub
> Subject: Re: [cabfpub] [cabfquest] Question about reissuance regulations
>  
> BRs say once every 39 months.  So does the Mozilla policy. 13 months is for EV.
>  
> From: Eddy Nigg [mailto:eddy_nigg at startcom.org] 
> Sent: Monday, January 5, 2015 3:24 PM
> To: Jeremy Rowley
> Cc: CABFPub
> Subject: Re: [cabfquest] Question about reissuance regulations
>  
>  
> On 01/05/2015 09:26 PM, Jeremy Rowley wrote:
> Hi Davis,
>  
> There aren’t requirements that a CA re-perform domain validation upon reissuance. Section 11.3 of the BRs permit a CA to reuse documentation for up to 39 months from the date it is collected.
> 
> If that's true it would be a serious flaw in the BR. Mustn't a domain be re-validated at least after max 13 month? Personally I would expect any reasonable CA to revalidate more frequently anyway.
> 
> Also the web trust audit has requirements for identifying certificate requests and its authorization, not sure where the BR stands on this (without reading the whole thing again).
> 
> --
> Regards 
>  
> Signer: 
> Eddy Nigg, COO/CTO
>  
> StartCom Ltd.
> XMPP: 
> startcom at startcom.org
> Blog: 
> Join the Revolution!
> Twitter: 
> Follow Me
>  
>  
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150106/0214864e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7161 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150106/0214864e/attachment-0001.bin

More information about the Public mailing list