[cabf_validation] [EXT] New process to renew domains

Steve Medin Steve_Medin at symantec.com
Wed May 3 12:33:25 MST 2017


Luring us into infringing OneClick's patent, eh? Spose it makes a buck.

 

The problem with treating this as close enough to method 9 is that 9 is tied
to a certificate with a maximum life of 30 days and critical policy
poisoned, or one issued from a private root.

 

This would require another method, and I think anything that looks like
perpetual validation would agitate the worrywarts who treat certificate
owners like criminals. Highly tactile brand stickiness, though.

 

From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Tuesday, May 02, 2017 5:01 PM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: [EXT] [cabf_validation] New process to renew domains

 

I'm curious what you think of this option to perform renewal of domains.   

 

Let's assume you have a few domains that have been previously verified for a
specific subscriber.  This subscriber requests a reissue and since the
domains have been verified recently and you know this is the same
subscriber, you issue the certificate with the applicable set of SANs.

 

Now, you check that they have installed the new certificate on each of the
SANs. Assuming you can set up a TLS session to that NEW certificate, do you
think it's feasible to reset the 825 day validity for those SANs (not
domains, just the SANs that you can connect to)?  It's similar to Method 9.
It's certainly not applicable for new domain validations, but it seems like
you could keep the SANs alive for a long time without needing to do specific
domain validation checks outside of this.

 

In a managed account, the subscriber might be considered the Enterprise, so
these domain re-validations could be applied to the Managed account.  This
could greatly reduce the number of domain renewal operations that are
required.

 

Doug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170503/cde7ba00/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5744 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170503/cde7ba00/attachment-0001.bin>


More information about the Validation mailing list