[cabfpub] Age of Certificate Data

[kirk_hall at trendmicro.com]

I sent this two hours ago, but apparently only to Doug.  This is another potential alternative that would keep the language close to the rest of the validation rules.

We will face the same issue if and when the reuse of data rules in the EVGL are rewritten to a RFC 3647 format.

From: Kirk Hall (RD-US)
Sent: Thursday, December 03, 2015 2:32 PM
To: 'Doug Beattie'
Subject: RE: Age of Certificate Data

Doug, I agree with you - but I think we have to find an existing RFC 3647 heading that works (can't make a new one and still be following the RFC 3647 format).  I pasted in below the sections we have from RFC 3647 - sadly, they forgot to include re-authentication.

Maybe we add a new paragraph at the end of BR 3.2.2 and use the old text.   We would support that if someone wants to include in a ballot.  Perhaps we add to the upcoming domain validation ballot?

3.2.2. Authentication of Organization and Domain Identity
[Existing paragraphs] ***

Section [6.3.2] limits the validity period of Subscriber Certificates.   The CA MAY use the documents and data provided in Section [3.2] to verify certificate information, provide that the CA obtained the data or document from a source specified under Section [3.2] no more than thirty-nine (39) months prior to issuing the Certificate.

RFC 3647

3.2  Initial identity validation

   3.2.1  Method to prove possession of private key

   3.2.2  Authentication of organization identity

   3.2.3  Authentication of individual identity

   3.2.4  Non-verified subscriber information

   3.2.5 Validation of authority

   3.2.6  Criteria for interoperation

3.3  Identification and authentication for re-key requests

   3.3.1  Identification and authentication for routine re-key

   3.3.2  Identification and authentication for re-key after revocation

3.4 Identification and authentication for revocation request


From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Thursday, December 03, 2015 4:35 AM
To: CABFPub
Subject: [cabfpub] Age of Certificate Data

I might have mentioned this before but ran across it again today.  Prior to RFC 3647 format conversion we had this:

11.3  Age of Certificate Data
Section 9.4 limits the validity period of Subscriber Certificates.   The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate.

But now we have this:

3.3  Identification and authentication for re-key requests
3.3.1 Identification and Authentication for Routine Re-key
Section 6.3.2 limits the validity period of Subscriber Certificates.   The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that the CA obtained the data or document from a source specified under Section 3.2 no more than thirty-nine (39) months prior to issuing the Certificate.

The re-use of certificate data seems to be limited to routine Re-key requests when before it could be used for any purpose.  Can we find a new heading section for this so it's clear we can use it for purposes other than rekey?  Maybe a new section, 3.5, for this purpose?



<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
</pre></td></tr></table>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20151204/8c3692d8/attachment.html