[cabf_validation] [EXT] New process to renew domains

Doug Beattie doug.beattie at globalsign.com
Wed May 3 13:05:09 MST 2017

Funny Steve!


Yes, it is a new method, #12, which would be only applicable for
revalidating domains in certificates issued in compliance with methods 1-10.
If loading up a test cert to a site works, why not a production certificate?

-          I suppose we could say the validation of the SANs on the new cert
must happen within 30 days (not sure if this is important or not, but
someone would let us know)

-          The test cert being poisoned or being from an untrusted root is
that the SANs are not yet validated, so you can't issue a new cert that is
trusted.  But, in this case, the cert you're issuing is totally compliant.
You'd just like the fact they installed this cert to improve issuance
process for future certificates.




From: Steve Medin [mailto:Steve_Medin at symantec.com] 
Sent: Wednesday, May 3, 2017 3:33 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: RE: [EXT] [cabf_validation] New process to renew domains


Luring us into infringing OneClick's patent, eh? Spose it makes a buck.


The problem with treating this as close enough to method 9 is that 9 is tied
to a certificate with a maximum life of 30 days and critical policy
poisoned, or one issued from a private root.


This would require another method, and I think anything that looks like
perpetual validation would agitate the worrywarts who treat certificate
owners like criminals. Highly tactile brand stickiness, though.


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug
Beattie via Validation
Sent: Tuesday, May 02, 2017 5:01 PM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: [EXT] [cabf_validation] New process to renew domains


I'm curious what you think of this option to perform renewal of domains.   


Let's assume you have a few domains that have been previously verified for a
specific subscriber.  This subscriber requests a reissue and since the
domains have been verified recently and you know this is the same
subscriber, you issue the certificate with the applicable set of SANs.


Now, you check that they have installed the new certificate on each of the
SANs. Assuming you can set up a TLS session to that NEW certificate, do you
think it's feasible to reset the 825 day validity for those SANs (not
domains, just the SANs that you can connect to)?  It's similar to Method 9.
It's certainly not applicable for new domain validations, but it seems like
you could keep the SANs alive for a long time without needing to do specific
domain validation checks outside of this.


In a managed account, the subscriber might be considered the Enterprise, so
these domain re-validations could be applied to the Managed account.  This
could greatly reduce the number of domain renewal operations that are



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170503/856af5d5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5662 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20170503/856af5d5/attachment.bin>

More information about the Validation mailing list