[cabf_validation] Domain Validation update for discussion

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Sun Jun 21 08:06:34 MST 2015

Doug - I can only speak to one part of this.  We did not want a CA to be able to use the same [marker] placed on the customer's website for 10-20 years, at the time of each re-vetting of the domain (13 months for EV, 39 months for OV for the domain).  Instead, the 30 day language is intended to say that at each revetting the CA must give the customer a new [marker] to place in the appropriate place and then confirmed by the CA.  We said 30 days because the customer might delay in using the marker, might screw up, etc.  However, once the domain has been authenticated (DV, OV, or EV) by this practical demonstration method, the vetting is good for 13/39 months, same as always.

From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Sunday, June 21, 2015 10:09 AM
To: Jeremy Rowley; validation at cabforum.org
Subject: Re: [cabf_validation] Domain Validation update for discussion

I must have missed the discussion around the topics in this new addition:

*         The CA MUST generate and use a new Random Value, Request Token, or Test Certificate for each Authorization Domain validated and MUST NOT rely on a Random Value, Request Token or Test Certificate generated more than 30 days prior completing verification under this section

What was the reasoning behind using different values for different Authorized Domain (not even sure what this means because we are validating FQDNs, not Authorized Domains..) and why the value is limited to 30 days?

If someone orders a multi-san cert the CA should be able to use the same value for all the SANs in the cert when using DNS or a file (maybe not the email validation).  Why do we need to have a lot of different values for one request for a certificate (what we normally call an  "order")?

If people add and remove SANs from that cert (the "order"), the same random value should be able to be used for the life of the order as long as the time between creating that token (when the request for the cert was first placed) and using it is less than 39 months, it should be acceptable.  Was there a security reason to limit the validity of the random value?


From: validation-bounces at cabforum.org [mailto:validation-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, June 18, 2015 3:26 PM
To: validation at cabforum.org
Subject: [cabf_validation] Domain Validation update for discussion

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20150621/55eb9751/attachment-0001.html 

More information about the Validation mailing list