[cabfpub] Ballot 193 - 825-day Certificate Lifetimes
Peter Bowen
pzb at amzn.com
Wed Mar 1 23:51:24 UTC 2017
> On Mar 1, 2017, at 2:14 PM, Chris Bailey via Public <public at cabforum.org> wrote:
> Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that (i) the CA obtained the data or document from a source specified under Section 3.2 no more than 825 days thirty‐nine (39) months prior to issuing the Certificate; and (ii) the method used to obtain the document or data was acceptable under Section 3.2 at the time the document or data was obtained.
>
> A CA may rely on a previously verified certificate request to issue a replacement certificate, so long as the certificate being referenced was not revoked due to fraud or other illegal conduct, if:
> (1) The expiration date of the replacement certificate is the same as the expiration date of the Certificate that is being replaced, and
> (2) The Subject Information of the Certificate is the same as the Subject in the Certificate that is being replaced.
>
> If an Applicant has a currently valid Certificate issued by the CA, a CA MAY rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4, provided that the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate.
Chris,
This seems a little out of order or I’m not understanding it. Wouldn’t it read better to move the last sentence up to above the “replacement certificate” provision? It would probably also be clearer to use the negative of the sentence:
"If an Applicant has a currently valid Certificate issued by the CA, a CA MAY NOT rely on its prior authentication and verification of the Applicant's right to use the specified Domain Name under Section 3.2.2.4 unless the CA verifies that the WHOIS record still shows the same registrant as when the CA verified the specified Domain Name for the existing Certificate."
That makes it clearer that you are constraining reuse of data to cases where you ensure the domain didn’t change hands.
I also think it would be good to define what must be the same in the WHOIS record — if the postal address, email address, or phone numbers change, is it still the same registrant?
Thanks,
Peter
More information about the Public
mailing list