[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information
pzb at amzn.com
Wed Feb 1 18:58:14 UTC 2017
> On Feb 1, 2017, at 10:51 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> On Wed, Feb 1, 2017 at 10:49 AM, Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com>> wrote:
> Reposing on behalf of Jürgen Brauckmann <brauckmann at dfn-cert.de <mailto:brauckmann at dfn-cert.de>>
> Ryan Sleevi via Public schrieb:
> > 4. The CA has not revoked any certificates which contain certificate
> > information verified using the document or data.
> Your goal is to kill OV?
> And why does OV require revocation? OV totally remains valid, so long as you're not revoking those certs.
> As mentioned in my other message just now, beyond keyCompromise, what other reasons would you revoke a cert? Surely if you revoke a cert because of "affiliationChanged", you should very well be revalidating the affiliation before issuing a new cert; otherwise, you could revoke the cert and totally reissue it using the original bogus information.
Consider these revocation reasons in the X.509 text:
- superseded indicates that the certificate has been superseded but
there is no cause to suspect that the private key has been compromised
- cessationOfOperation indicates that the certificate is no longer
needed for the purpose for which it was issued but there is no cause
to suspect that the private key has been compromise
If a customer is replacing certificate X with certificate Y (probably
with the same SANs), it is completely reasonable for them to request
revocation of X once Y is fully deployed. I would use "superseded"
for this case. It is also possible that a customer ceases to use a
server and wants to revoke using "cessationOfOperation". Neither of
these cases says anything about the validity of the domain
registration or organization information.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public