[Servercert-wg] [EXTERNAL] Fwd: Data Reuse under BR 3.2.2.4.3 (Phone Contact with Domain Contact)
Ben Wilson
bwilson at mozilla.com
Tue Apr 21 09:29:49 MST 2020
I still think that re-use time periods run from the time the information is
verified and not from the expiration of the certificate for which the
validation method was used.
On Tue, Apr 21, 2020 at 10:13 AM Ryan Sleevi <sleevi at google.com> wrote:
>
>
> On Tue, Apr 21, 2020 at 11:59 AM Bruce Morton via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> Ben,
>>
>>
>>
>> This be 825 days if used for OV/DV certificates and 13 months if used for
>> EV certificates. So the date for EV would be 30 June 2020.
>>
>
> Is that correct? I mean, I do appreciate the reading, but I'm concerned it
> overlooks many of the security holes that were unfortunately intentionally
> added to EV certificates and which CAs rejected fixing:
>
> The statement is in 11.14.3 (1) is:
> "Except for reissuance of an EV Certificate under Section 11.14.2 and
> except when permitted otherwise in Section 11.14.1, "
>
> along with 11.14.3 (4):
>
> "(4) The CA MUST repeat the verification process required in these
> Guidelines for any information obtained outside the time limits specified
> above except when permitted otherwise under section 11.14.1."
>
> 11.14.1 permits the CA to continue to use a previous domain validation
> indefinitely, by virtue of 11.14.1 (7):
> "The Applicant's right to use the specified Domain Name under Section
> 11.7, provided that the CA verifies that the WHOIS record still shows the
> same registrant as when the CA verified the specified Domain Name for the
> initial EV Certificate."
>
> This would suggest (and some CAs have interpreted it) as allowing
> indefinite validation, by validating once and then simply relying on WHOIS
> not to change. This is not really compatible with the BRs, for sure, and
> the EVGs don't trump the BRs, but at least internally to the EVGs, these
> sections do trump the EVGs limits on data reuse, intentionally and
> explicitly, unfortunately.
>
> You might recall that this was something that Google tried to clarify in
> SC22, to reduce this conflict and confusion. We're happy to propose similar
> language now to address.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20200421/7148864a/attachment.html>
More information about the Servercert-wg
mailing list