[cabfpub] Restrict certificate lifetime to domain registration period (if certificate expiry date is greater than domain registration)

Ryan Sleevi sleevi at google.com
Thu Jan 11 23:18:00 UTC 2018


The Baseline Requirements, Section 4.9.1.1, requires that the CA revoke if:
6. The CA is made aware of any circumstance indicating that use of a
Fully-Qualified Domain Name or IP
address in the Certificate is no longer legally permitted (e.g. a court or
arbitrator has revoked a Domain Name
Registrant’s right to use the Domain Name, a relevant licensing or services
agreement between the Domain
Name Registrant and the Applicant has terminated, or the Domain Name
Registrant has failed to renew the
Domain Name);

The Baseline Requirements, Section 9.6.3, requires that the Subscriber
Agreement imposed upon Subscribers must include:
5. Reporting and Revocation: An obligation and warranty to: (a) promptly
request revocation of the
Certificate, and cease using it and its associated Private Key, if there is
any actual or suspected misuse
or compromise of the Subscriber’s Private Key associated with the Public
Key included in the
Certificate, and (b) promptly request revocation of the Certificate, and
cease using it, if any
information in the Certificate is or becomes incorrect or inaccurate.


In order to do something as you propose, it must be possible to determine
the domain registration period. How do you propose to do that consistently
for all domains? (It's not actually available consistently).

On Thu, Jan 11, 2018 at 5:56 PM, James Burton via Public <
public at cabforum.org> wrote:

> Shouldn't we start restricting the certificate lifetime to domain
> registration period if the certificate expiry date is greater than domain
> registration period?
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180111/c41d3f7e/attachment-0003.html>


More information about the Public mailing list