[Servercert-wg] [EXTERNAL] Fwd: Data Reuse under BR 3.2.2.4.3 (Phone Contact with Domain Contact)

Ryan Sleevi sleevi at google.com
Tue Apr 21 09:12:51 MST 2020


On Tue, Apr 21, 2020 at 11:59 AM Bruce Morton via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Ben,
>
>
>
> This be 825 days if used for OV/DV certificates and 13 months if used for
> EV certificates. So the date for EV would be 30 June 2020.
>

Is that correct? I mean, I do appreciate the reading, but I'm concerned it
overlooks many of the security holes that were unfortunately intentionally
added to EV certificates and which CAs rejected fixing:

The statement is in 11.14.3 (1) is:
"Except for reissuance of an EV Certificate under Section 11.14.2 and
except when permitted otherwise in Section 11.14.1, "

 along with 11.14.3 (4):

"(4) The CA MUST repeat the verification process required in these
Guidelines for any information obtained outside the time limits specified
above except when permitted otherwise under section 11.14.1."

11.14.1 permits the CA to continue to use a previous domain validation
indefinitely, by virtue of 11.14.1 (7):
"The Applicant's right to use the specified Domain Name under Section 11.7,
provided that the CA verifies that the WHOIS record still shows the same
registrant as when the CA verified the specified Domain Name for the
initial EV Certificate."

This would suggest (and some CAs have interpreted it) as allowing
indefinite validation, by validating once and then simply relying on WHOIS
not to change. This is not really compatible with the BRs, for sure, and
the EVGs don't trump the BRs, but at least internally to the EVGs, these
sections do trump the EVGs limits on data reuse, intentionally and
explicitly, unfortunately.

You might recall that this was something that Google tried to clarify in
SC22, to reduce this conflict and confusion. We're happy to propose similar
language now to address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200421/84f226c3/attachment-0001.html>


More information about the Servercert-wg mailing list