[cabf_validation] Draft ballot - Validation Lifetime Check

Doug Beattie doug.beattie at globalsign.com
Fri Mar 11 05:53:03 MST 2016


As long as you’re sure it’s the same applicant, that logic seem right to me.

Doug

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of J.C. Jones
Sent: Thursday, March 10, 2016 7:28 PM
To: Validation at cabforum.org
Subject: [cabf_validation] Draft ballot - Validation Lifetime Check

All,
I want to check our mutual understanding regarding the validity period of a particular domain validation, just to be sure!
The workflow used in ACME first validates a subscriber's domain control for one or more FQDNs, and then for a period of time the subscriber can issue any number of certificates for any combination of those validated FQDNs. This permits subscribers to, for example, add a SAN to a certificate with a minimum of fuss: any recently-validated FQDNs do not have to be re-validated. This also makes it smoother for ACME-users to use short-lived certificates.
For ACME's  HTTP-01 and DNS-01 challenge types, validation method 6.b would govern the interaction. As I read the draft, after verifying the Random Value, the CA may consider the FQDN to be validated by the Subscriber for _up to_ 39 months, per section 6.3.2 (referred to by section 3.3.1). This permits the CA to exempt its Subscriber from having to re-verify control of previously-verified FQDNs in the event of a minor update. This presumes the case of DV certificates, and that clients are communicating directly to the ACME-using CA.

Does this logic follow?

Thanks,
- J.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160311/ce23dca8/attachment.html 


More information about the Validation mailing list