[cabf_validation] [cabfman] 2023-11-02 Draft Minutes of the Validation Subcommittee

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Nov 7 05:57:54 UTC 2023

I missed the last validation subcommittee call but the following from 
the draft minutes caught my attention.

On 7/11/2023 12:19 π.μ., Corey Bonnell via Management wrote:
> /- Validity period for Technically Constrained Sub-CA and validation 
> period for Domain Namespace - Wayne said that Ryan Sleevi filed this 
> and it has to do with the ‘verified namespace’ for an enterprise RA./
> //
> /Clint said that this is on Apple’s backlog. In particular clarifying 
> that a domain name in a technically constrained subCA needs to be 
> revalidated on the same cadence as any other domain name. Clint said 
> that he hopes to work in this in the next year./

Section 4.2.1 
of the BRs states that:

> For validation of Domain Names and IP Addresses according to Section 
> and, any reused data, document, or completed 
> validation MUST be obtained no more than 398 days prior to issuing the 
> Certificate

states for dNSName and iPAddress that:

> The CA MUST confirm that the Applicant has registered the |dNSName| or 
> has been authorized by the domain registrant to act on the 
> registrant's behalf. See Section 
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#3224-validation-of-domain-authorization-or-control>.

> The CA MUST confirm that the Applicant has been assigned the 
> |iPAddress| range or has been authorized by the assigner to act on the 
> asignee's behalf. See Section 
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#3225-authentication-for-an-ip-address>.

These sections are linked together. My reading of these requirements is 
that a CA that issues a Technically Constrained TLS SubCA must 
re-validate the Domain Namespace every 398 days. In fact, the only way 
to do this is by using the methods that are eligible for the 
issuance of wildcard certificates. Perhaps the last part is not very 
clearly stated but the re-validation should be clear.

The tricky part is with the IP Address space because the methods 
currently defined in do not all guarantee the control of an 
entire IP space. We could do some work in to explicitly call out 
the methods that are eligible for IP space validation just like we did 
with the Wildcard Domain Name validation.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231107/3c7e3969/attachment.html>

More information about the Validation mailing list