[cabfpub] Ballot 193 - 825-day Certificate Lifetimes

Thu Mar 2 00:04:25 UTC 2017

On Wed, Mar 1, 2017 at 3:51 PM, Peter Bowen via Public <public at cabforum.org>
wrote:

>
> > On Mar 1, 2017, at 2:14 PM, Chris Bailey via Public <public at cabforum.org>
> wrote:
> > Section 6.3.2 limits the validity period of Subscriber Certificates. The
> CA MAY use the documents and data provided in Section 3.2 to verify
> certificate information, provided that (i) the CA obtained the data or
> document from a source specified under Section 3.2 no more than 825 days
> thirty‐nine (39) months prior to issuing the Certificate; and (ii) the
> method used to obtain the document or data was acceptable under Section 3.2
> at the time the document or data was obtained.
> >
> > A CA may rely on a previously verified certificate request to issue a
> replacement certificate, so long as the certificate being referenced was
> not revoked due to fraud or other illegal conduct, if:
> > (1) The expiration date of the replacement certificate is the same as
> the expiration date of the Certificate that is being replaced, and
> > (2) The Subject Information of the Certificate is the same as the
> Subject in the Certificate that is being replaced.
> >
> > If an Applicant has a currently valid Certificate issued by the CA, a CA
> MAY rely on its prior authentication and verification of the Applicant's
> right to use the specified Domain Name under Section 3.2.2.4, provided that
> the CA verifies that the WHOIS record still shows the same registrant as
> when the CA verified the specified Domain Name for the existing Certificate.
>
> Chris,
>
> This seems a little out of order or I’m not understanding it.  Wouldn’t it
> read better to move the last sentence up to above the “replacement
> certificate” provision?  It would probably also be clearer to use the
> negative of the sentence:
>
> "If an Applicant has a currently valid Certificate issued by the CA, a CA
> MAY NOT rely on its prior authentication and verification of the
> Applicant's right to use the specified Domain Name under Section 3.2.2.4
> unless the CA verifies that the WHOIS record still shows the same
> registrant as when the CA verified the specified Domain Name for the
> existing Certificate."
>
> That makes it clearer that you are constraining reuse of data to cases
> where you ensure the domain didn’t change hands.
>
> I also think it would be good to define what must be the same in the WHOIS
> record — if the postal address, email address, or phone numbers change, is
> it still the same registrant?
>

If that was the intent, I agree, it should be clearly stated. As worded, it
presents the opportunity to indefinitely reissue certificates in a way that
creates a conflict with the proviso in Section 4.2.1 regarding the use of
documents and data previously provided.

While it's encouraging to see the introduction of WHOIS revalidation, this
remains problematic and not trivially identified:
  - For TLDs which do not provide a WHOIS service, what happens?
  - Given that WHOIS represents a human readable entry, it introduces
ambiguity into the determination of 'same registrant', as you note.
  - It introduces security risks with respect to the use of privacy
preserving registrations, in that two independent Applicants may utilize
the same subscriber, and thus be materially presented as the same
Technical/Administrative/Billing contacts

While these are interesting problems to explore, it highlights the
challenges that arise when introducing multiple items into a single Ballot,
and reiterates the need to make the smallest change possible. As Ballot 188
demonstrates, even well-intentioned, well-regarded changes can introduce
nuanced bugs that can seriously undermine the security and stability of the
ecosystem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170301/e3cb71b8/attachment-0003.html>