[cabfpub] [cabfquest] Question about reissuance regulations
jeremy.rowley at digicert.com
Mon Jan 5 22:39:06 UTC 2015
Section 11.3: The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate.
Mozilla (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/): verify that all of the information that is included in SSL certificates remains current and correct at time intervals of thirty-nine months or less;
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Monday, January 5, 2015 3:28 PM
To: Eddy Nigg
Subject: Re: [cabfpub] [cabfquest] Question about reissuance regulations
BRs say once every 39 months. So does the Mozilla policy. 13 months is for EV.
From: Eddy Nigg [mailto:eddy_nigg at startcom.org]
Sent: Monday, January 5, 2015 3:24 PM
To: Jeremy Rowley
Subject: Re: [cabfquest] Question about reissuance regulations
On 01/05/2015 09:26 PM, Jeremy Rowley wrote:
There aren't requirements that a CA re-perform domain validation upon reissuance. Section 11.3 of the BRs permit a CA to reuse documentation for up to 39 months from the date it is collected.
If that's true it would be a serious flaw in the BR. Mustn't a domain be re-validated at least after max 13 month? Personally I would expect any reasonable CA to revalidate more frequently anyway.
Also the web trust audit has requirements for identifying certificate requests and its authorization, not sure where the BR stands on this (without reading the whole thing again).
Eddy Nigg, COO/CTO
startcom at startcom.org<xmpp:startcom at startcom.org>
Join the Revolution!<http://blog.startcom.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public