[cabf_validation] New process to renew domains

Bruce Morton Bruce.Morton at entrustdatacard.com
Wed May 3 13:19:40 MST 2017


This idea seems as reliable as the test certificate method which was approved and supports reissue and renewal.


From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Doug Beattie via Validation
Sent: Tuesday, May 2, 2017 5:01 PM
To: validation (validation at cabforum.org) <validation at cabforum.org>
Cc: Doug Beattie <doug.beattie at globalsign.com>
Subject: [EXTERNAL][cabf_validation] New process to renew domains

I'm curious what you think of this option to perform renewal of domains.

Let's assume you have a few domains that have been previously verified for a specific subscriber.  This subscriber requests a reissue and since the domains have been verified recently and you know this is the same subscriber, you issue the certificate with the applicable set of SANs.

Now, you check that they have installed the new certificate on each of the SANs. Assuming you can set up a TLS session to that NEW certificate, do you think it's feasible to reset the 825 day validity for those SANs (not domains, just the SANs that you can connect to)?  It's similar to Method 9.  It's certainly not applicable for new domain validations, but it seems like you could keep the SANs alive for a long time without needing to do specific domain validation checks outside of this.

In a managed account, the subscriber might be considered the Enterprise, so these domain re-validations could be applied to the Managed account.  This could greatly reduce the number of domain renewal operations that are required.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20170503/37c23376/attachment-0001.html>

More information about the Validation mailing list