[cabf_validation] Agenda for this week
Doug Beattie
doug.beattie at globalsign.com
Tue Jan 2 14:02:02 MST 2018
If the web site operator can install a new certificate (or a test cert like
method 9) that shows administrative control over the domain. If the domain
changed hands and the entity running the web site can still install a
certificate (or put a file in the /well-known directory for that matter),
then the "renewal" would happen even if domain "ownership" had changed. I'm
not sure I see the difference.
Doug
From: Tim Hollebeek [mailto:tim.hollebeek at digicert.com]
Sent: Tuesday, January 2, 2018 3:54 PM
To: Doug Beattie <doug.beattie at globalsign.com>; CA/Browser Forum Validation
WG List <validation at cabforum.org>
Subject: RE: Agenda for this week
I personally think this has about zero chance of flying with the browsers,
who have expressed concern about the domain no longer being under the same
ownership if no validation is done for renewals.
But I'm happy to discuss anything anyone wants to discuss, so we can get
everyone's perspective. I'll add it.
-Tim
From: Doug Beattie [mailto:doug.beattie at globalsign.com]
Sent: Tuesday, January 2, 2018 1:50 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum Validation
WG List <validation at cabforum.org>
Subject: RE: Agenda for this week
Hi Tim,
This isn't super important, but something I would like to discuss at some
point as a new domain validation method for domain re-validation only. I
think I brought this up casually once a while back.
- Once you have a domain, or set of domains validated and a cert
issued with a bunch of SANs, is it possible to verify that when the new
certificate is present on a SAN (within 30 days) it constitutes a new domain
validation for that SAN and that would re-set the 825 day domain validation
clock? It's basically #9 but with a production certificate (which is OK,
because going into this the domains were all validated using one of the
approved methods for initial domain validation). If the CA wanted to re-use
the domain validation for more than one SAN in that certificate, then each
SAN would need to be verified to have the new certificate present.
If we did this, then CAs would effectively not need to do new domain
validations if the SANs didn't change as long as they recorded the
applicable validations (for each SAN, you found the new certificate).
Doug
From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Tim
Hollebeek via Validation
Sent: Tuesday, January 2, 2018 2:45 PM
To: CA/Browser Forum Validation WG List <validation at cabforum.org
<mailto:validation at cabforum.org> >
Subject: [cabf_validation] Agenda for this week
Please let me know if you have other topics you want discussed.
1. Continue IP validation discussion.
2. EV improvement discussion.
Homework from previous call:
- continue to think about ways to improve EV
- be familiar with the methods your company uses to validate IPs
(if any)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180102/9d8efc71/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5682 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180102/9d8efc71/attachment-0001.p7s>
More information about the Validation
mailing list