[cabf_validation] Domain (re)-validation edge cases

Ryan Sleevi sleevi at google.com
Mon Oct 25 17:15:17 UTC 2021


Just reflecting to the list that I filed
https://github.com/cabforum/servercert/issues/326

This came up while working through the validity periods portion of the
certificate profiles work. For technically constrained TLS sub-CAs, the
validity period is presently undefined, but these certificates rest on
assumptions about domain validation practices in Section 3.2.2.4 and
Section 3.3.2.5. Combined with the audit exception and (optional) CAA
exemption, this creates the opportunity for skipping domain validation
and/or assumptions based on stale data.

There are suggestions for moderate fixes, which seem to go beyond the
scale/remit of the profiles work (that is, even if some of this was tackled
in Profiles v2, there's other work outside of profiles needed), but it
seems to be worth tackling.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20211025/ad0680c4/attachment.html>


More information about the Validation mailing list