[cabf_validation] Question on language for 3.2.2.4.7 DNS Change

Kirk Hall Kirk.Hall at entrust.com
Thu Jul 21 18:29:13 MST 2016


Sorry, just noticed - is a word missing from this section?

3.2.2.4.7 DNS Change

Confirming the Applicant's control over the requested FQDN by confirming the presence of a Random Value or Request Token in a DNS TXT or CAA record for an Authorization Domain Name or an Authorization Domain Name that is prefixed with a label that begins with an underscore character.

If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request and SHALL not use the Random Value after (i) 30 days or (ii) if the Applicant submitted the certificate request, [word missing?] the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).

Did we mean to include "after" so the sentence would read:

If a Random Value is used, the CA or Delegated Third Party SHALL provide a Random Value unique to the certificate request

and SHALL not use the Random Value after


(i)                  30 days or

(ii)                if the Applicant submitted the certificate request *after* the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 of the EV Guidelines).

[Why else would we even say "if the Applicant submitted the certificate request" - who else would submit it?]

I'm trying to understand the use case here.  Would this be when (for an EV cert) the existing customer submits a request for a new domain, foo.com, but all the organization data has expired (it's more than 13 months).  If that's the case, why would we even need this limitation?  The cert can't be issued anyway because the other vetting data is too old.

Can someone explain (ii), and does it need to be edited?

"***and SHALL not use the Random Value after (i) 30 days or (ii) the timeframe permitted for reuse of validated information relevant to the certificate (such as in Section 3.3.1 of these Guidelines or Section 11.14.3 has expired
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160722/b9481526/attachment-0001.html 


More information about the Validation mailing list