[cabf_validation] Question on language for 3.2.2.4.7 DNS Change

J.C. Jones jc at mozilla.com
Mon Jul 25 11:39:45 MST 2016


Kirk,

I'm not positive what the intent was here, but just to nudge the
conversation: The phrase “if the Applicant submitted the certificate
request” is to avoid the case where the Random Value was provided to
applicant via a reseller.

It seems like you're on the right track though, that the idea is: If the
Random Value was provided via a reseller, it's only good for 30 days.
Otherwise, it's good for as long as the verified data is good, depending on
the type of certificate being issued.

At least, that's how I read it.
J.C.

On Thu, Jul 21, 2016 at 6:29 PM, Kirk Hall <Kirk.Hall at entrust.com> wrote:

> Sorry, just noticed – is a word missing from this section?
>
>
>
> *3.2.2.4.7 DNS Change*
>
>
>
> Confirming the Applicant's control over the requested FQDN by confirming
> the presence of a Random Value or Request Token in a DNS TXT or CAA record
> for an Authorization Domain Name or an Authorization Domain Name that is
> prefixed with a label that begins with an underscore character.
>
>
>
> If a Random Value is used, the CA or Delegated Third Party SHALL provide a
> Random Value unique to the certificate request and SHALL not use the Random
> Value after (i) 30 days or (ii) if the Applicant submitted the certificate
> request, [word missing?] the timeframe permitted for reuse of validated
> information relevant to the certificate (such as in Section 3.3.1 of these
> Guidelines or Section 11.14.3 of the EV Guidelines).
>
>
>
> Did we mean to include “after” so the sentence would read:
>
>
>
> If a Random Value is used, the CA or Delegated Third Party SHALL provide a
> Random Value unique to the certificate request
>
>
>
> and SHALL not use the Random Value after
>
>
>
> (i)                  30 days or
>
> (ii)                if the Applicant submitted the certificate request
> **after** the timeframe permitted for reuse of validated information
> relevant to the certificate (such as in Section 3.3.1 of these Guidelines
> or Section 11.14.3 of the EV Guidelines).
>
>
>
> [Why else would we even say “if the Applicant submitted the certificate
> request” – who else would submit it?]
>
>
>
> I’m trying to understand the use case here.  Would this be when (for an EV
> cert) the existing customer submits a request for a new domain, foo.com,
> but all the organization data has expired (it’s more than 13 months).  If
> that’s the case, why would we even need this limitation?  The cert can’t be
> issued anyway because the other vetting data is too old.
>
>
>
> Can someone explain (ii), and does it need to be edited?
>
>
>
> “***and SHALL not use the Random Value after (i) 30 days or (ii) the
> timeframe permitted for reuse of validated information relevant to the
> certificate (such as in Section 3.3.1 of these Guidelines or Section
> 11.14.3 *has expired*
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160725/ca46d12d/attachment.html 


More information about the Validation mailing list