[cabfpub] Ballot 193 - 825-day Certificate Lifetimes

Kirk Hall Kirk.Hall at entrustdatacard.com
Wed Mar 1 17:31:56 MST 2017 

There were people at several CAs who worked on this draft, but here is my understanding of these provisions.



As to the new language in this paragraph:


“BR 4.2.1 *** Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that (i) the CA obtained the data or document from a source specified under Section 3.2 no more than 825 days thirty‐nine (39) months prior to issuing the Certificate; and (ii) the method used to obtain the document or data was acceptable under Section 3.2 at the time the document or data was obtained.”



Everything down to (ii) is already part of BR 4.2.1 (but changed from 39 months to 825 days).  New subsection (ii) came from Ballot 186, and was intended to deal with the question of whether a change in a validation method requires revetting of all applicants who are still within the vetting data validity period. – the answer is no.  (This question briefly came up with Ballot 169.)  If a future ballot changes a validation method and wants to mandate revetting of data that is still within the data validity period, the future ballot should specifically say that so no one is confused.



On your second point, the following “new” BR language in Ballot 193 has part of EVGL 11.14.1(6) for EV cert domain validation for many years.  This new BR section is part of an effort to harmonize the BRs and EVGL so if a method is permitted in the EVGL, it’s also permitted in the BRs.


“ BR 4.2.1 *** If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate.”







-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
Sent: Wednesday, March 1, 2017 3:51 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Peter Bowen <pzb at amzn.com>
Subject: Re: [cabfpub] Ballot 193 - 825-day Certificate Lifetimes





> On Mar 1, 2017, at 2:14 PM, Chris Bailey via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:

> Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that (i) the CA obtained the data or document from a source specified under Section 3.2 no more than 825 days thirty‐nine (39) months prior to issuing the Certificate; and (ii) the method used to obtain the document or data was acceptable under Section 3.2 at the time the document or data was obtained.

>

> A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if:

> (1) The expiration date of the replacement certificate is the same as the expiration date of the Certificate that is being replaced, and

> (2) The Subject Information of the Certificate is the same as the Subject in the Certificate that is being replaced.

>

> If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate.



Chris,



This seems a little out of order or I’m not understanding it.  Wouldn’t it read better to move the last sentence up to above the “replacement certificate” provision?  It would probably also be clearer to use the negative of the sentence:



"If an Applicant has a currently valid Certificate issued by the CA, a CA MAY NOT rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4 unless the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate."



That makes it clearer that you are constraining reuse of data to cases where you ensure the domain didn’t change hands.



I also think it would be good to define what must be the same in the WHOIS record — if the postal address, email address, or phone numbers change, is it still the same registrant?



Thanks,

Peter



_______________________________________________

Public mailing list

Public at cabforum.org<mailto:Public at cabforum.org>

https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170302/38a90e63/attachment-0001.html>

More information about the Public mailing list