[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information

Ryan Sleevi sleevi at google.com
Wed Feb 1 18:51:16 UTC 2017

On Wed, Feb 1, 2017 at 10:49 AM, Ryan Sleevi <sleevi at google.com> wrote:

> Reposing on behalf of Jürgen Brauckmann <brauckmann at dfn-cert.de>
> Ryan Sleevi via Public schrieb:
> >   4. The CA has not revoked any certificates which contain certificate
> > information verified using the document or data.
> Your goal is to kill OV?

And why does OV require revocation? OV totally remains valid, so long as
you're not revoking those certs.

As mentioned in my other message just now, beyond keyCompromise, what other
reasons would you revoke a cert? Surely if you revoke a cert because of
"affiliationChanged", you should very well be revalidating the affiliation
before issuing a new cert; otherwise, you could revoke the cert and totally
reissue it using the original bogus information.

> Or am I missing something? e.g., Enterprise RA
> authorization must be revalidated each time a certificate is revoked? What?
> Regards,
>  Jürgen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170201/8a312c57/attachment-0003.html>

More information about the Public mailing list