[cabf_validation] New process to renew domains

Peter Bowen pzb at amzn.com
Wed May 3 13:18:49 MST 2017

> On May 2, 2017, at 2:01 PM, Doug Beattie via Validation <validation at cabforum.org> wrote:
> I’m curious what you think of this option to perform renewal of domains.   
> Let’s assume you have a few domains that have been previously verified for a specific subscriber.  This subscriber requests a reissue and since the domains have been verified recently and you know this is the same subscriber, you issue the certificate with the applicable set of SANs.
> Now, you check that they have installed the new certificate on each of the SANs. Assuming you can set up a TLS session to that NEW certificate, do you think it’s feasible to reset the 825 day validity for those SANs (not domains, just the SANs that you can connect to)?  It’s similar to Method 9.  It’s certainly not applicable for new domain validations, but it seems like you could keep the SANs alive for a long time without needing to do specific domain validation checks outside of this.
> In a managed account, the subscriber might be considered the Enterprise, so these domain re-validations could be applied to the Managed account.  This could greatly reduce the number of domain renewal operations that are required.


I think that this might already be allowed in 1.4.1.  Method "TLS Using a Random Number” would seem to allow this assuming your certificate serial numbers have at least 112-bits of entropy, as that would be your “Random Value”.  If the certificate is replaced more often than validation is required, then you have the the continual validation.


More information about the Validation mailing list