[cabf_validation] Draft ballot - Validation Lifetime Check
J.C. Jones
jjones at mozilla.com
Thu Mar 10 17:28:15 MST 2016
All,
I want to check our mutual understanding regarding the validity period of a
particular domain validation, just to be sure!
The workflow used in ACME first validates a subscriber's domain control for
one or more FQDNs, and then for a period of time the subscriber can issue
any number of certificates for any combination of those validated FQDNs.
This permits subscribers to, for example, add a SAN to a certificate with a
minimum of fuss: any recently-validated FQDNs do not have to be
re-validated. This also makes it smoother for ACME-users to use short-lived
certificates.
For ACME's HTTP-01 and DNS-01 challenge types, validation method 6.b would
govern the interaction. As I read the draft, after verifying the Random
Value, the CA may consider the FQDN to be validated by the Subscriber for
_up to_ 39 months, per section 6.3.2 (referred to by section 3.3.1). This
permits the CA to exempt its Subscriber from having to re-verify control of
previously-verified FQDNs in the event of a minor update. This presumes the
case of DV certificates, and that clients are communicating directly to the
ACME-using CA.
Does this logic follow?
Thanks,
- J.C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/validation/attachments/20160310/735571a5/attachment.html
More information about the Validation
mailing list