[cabf_validation] New process to renew domains

Doug Beattie doug.beattie at globalsign.com
Tue May 2 14:01:29 MST 2017


I'm curious what you think of this option to perform renewal of domains.

Let's assume you have a few domains that have been previously verified for a specific subscriber.  This subscriber requests a reissue and since the domains have been verified recently and you know this is the same subscriber, you issue the certificate with the applicable set of SANs.

Now, you check that they have installed the new certificate on each of the SANs. Assuming you can set up a TLS session to that NEW certificate, do you think it's feasible to reset the 825 day validity for those SANs (not domains, just the SANs that you can connect to)?  It's similar to Method 9.  It's certainly not applicable for new domain validations, but it seems like you could keep the SANs alive for a long time without needing to do specific domain validation checks outside of this.

In a managed account, the subscriber might be considered the Enterprise, so these domain re-validations could be applied to the Managed account.  This could greatly reduce the number of domain renewal operations that are required.

Doug
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 12529 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170502/ed2adc0b/attachment.bin>


More information about the Validation mailing list