[cabfpub] Restrict certificate lifetime to domain registration period (if certificate expiry date is greater than domain registration)

James Burton james at sirburton.com
Fri Jan 12 00:52:37 UTC 2018


*The Baseline Requirements, Section 4.9.1.1, requires that the CA revoke
if:*
*6. The CA is made aware of any circumstance indicating that use of a
Fully-Qualified Domain Name or IP*
*address in the Certificate is no longer legally permitted (e.g. a court or
arbitrator has revoked a Domain Name*
*Registrant’s right to use the Domain Name, a relevant licensing or
services agreement between the Domain*
*Name Registrant and the Applicant has terminated, or the Domain Name
Registrant has failed to renew the*
*Domain Name); *

It would be great if one or more of the CAs here could provide me with some
yearly statistics of certificates revoked due to these circumstances listed
above.

*In order to do something as you propose, it must be possible to determine
the domain registration period. How do you propose to do that consistently
for all domains? (It's not actually available consistently).*

All registries must provide a whois/status service, so determining the
domain registration period is as simple as hot knife going through butter.




On Thu, Jan 11, 2018 at 11:18 PM, Ryan Sleevi <sleevi at google.com> wrote:

> The Baseline Requirements, Section 4.9.1.1, requires that the CA revoke if:
> 6. The CA is made aware of any circumstance indicating that use of a
> Fully-Qualified Domain Name or IP
> address in the Certificate is no longer legally permitted (e.g. a court or
> arbitrator has revoked a Domain Name
> Registrant’s right to use the Domain Name, a relevant licensing or
> services agreement between the Domain
> Name Registrant and the Applicant has terminated, or the Domain Name
> Registrant has failed to renew the
> Domain Name);
>
> The Baseline Requirements, Section 9.6.3, requires that the Subscriber
> Agreement imposed upon Subscribers must include:
> 5. Reporting and Revocation: An obligation and warranty to: (a) promptly
> request revocation of the
> Certificate, and cease using it and its associated Private Key, if there
> is any actual or suspected misuse
> or compromise of the Subscriber’s Private Key associated with the Public
> Key included in the
> Certificate, and (b) promptly request revocation of the Certificate, and
> cease using it, if any
> information in the Certificate is or becomes incorrect or inaccurate.
>
>
> In order to do something as you propose, it must be possible to determine
> the domain registration period. How do you propose to do that consistently
> for all domains? (It's not actually available consistently).
>
> On Thu, Jan 11, 2018 at 5:56 PM, James Burton via Public <
> public at cabforum.org> wrote:
>
>> Shouldn't we start restricting the certificate lifetime to domain
>> registration period if the certificate expiry date is greater than domain
>> registration period?
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180112/822f3727/attachment-0003.html>


More information about the Public mailing list