[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information

Ryan Sleevi sleevi at google.com
Wed Feb 1 12:06:13 MST 2017


On Wed, Feb 1, 2017 at 10:57 AM, Peter Bowen <pzbowen at gmail.com> wrote:

> On Wed, Feb 1, 2017 at 10:51 AM, Ryan Sleevi via Public
> <public at cabforum.org> wrote:
> >
> >
> > On Wed, Feb 1, 2017 at 10:49 AM, Ryan Sleevi <sleevi at google.com> wrote:
> >>
> >> Reposing on behalf of Jürgen Brauckmann <brauckmann at dfn-cert.de>
> >>
> >> Ryan Sleevi via Public schrieb:
> >> >   4. The CA has not revoked any certificates which contain certificate
> >> > information verified using the document or data.
> >>
> >> Your goal is to kill OV?
> >
> >
> > And why does OV require revocation? OV totally remains valid, so long as
> > you're not revoking those certs.
> >
> > As mentioned in my other message just now, beyond keyCompromise, what
> other
> > reasons would you revoke a cert? Surely if you revoke a cert because of
> > "affiliationChanged", you should very well be revalidating the
> affiliation
> > before issuing a new cert; otherwise, you could revoke the cert and
> totally
> > reissue it using the original bogus information.
>
> Consider the X.509 text:
>
> - superseded indicates that the certificate has been superseded but
> there is no cause to suspect that the private key has been compromised
>
> - cessationOfOperation indicates that the certificate is no longer
> needed for the purpose for which it was issued but there is no cause
> to suspect that the private key has been compromise
>
> If a customer is replacing certificate X with certificate Y (probably
> with the same SANs), it is completely reasonable for them to request
> revocation of X once Y is fully deployed.  I would use "superseded"
> for this case.  It is also possible that a customer ceases to use a
> server and wants to revoke using "cessationOfOperation".  Neither of
> these cases says anything about the validity of the domain
> registration or organization information.
>
> Thanks,
> Peter
>

Thanks Peter. I'm curious - if the ballot allowed for the re-use of
previously validated information, provided that the only certificates
revoked were for keyCompromise, superseded, and cessationOfOperation, do
you think that would resolve the first concern you raised?

Despite the bugginess/lack of coverage of the WHOIS validation, I'm also
happy to reintroduce that back in this Ballot, and then work on a
subsequent ballot to better refine that to reflect the intent of the
original text as it relates to the practical demonstrations of control
presently permitted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170201/8b360578/attachment.html>


More information about the Public mailing list