[cabf_validation] [cabfman] 2023-11-02 Draft Minutes of the Validation Subcommittee
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Tue Nov 7 05:57:54 UTC 2023
I missed the last validation subcommittee call but the following from
the draft minutes caught my attention.
On 7/11/2023 12:19 π.μ., Corey Bonnell via Management wrote:
>
> /- Validity period for Technically Constrained Sub-CA and validation
> period for Domain Namespace - Wayne said that Ryan Sleevi filed this
> and it has to do with the ‘verified namespace’ for an enterprise RA./
>
> //
>
> /Clint said that this is on Apple’s backlog. In particular clarifying
> that a domain name in a technically constrained subCA needs to be
> revalidated on the same cadence as any other domain name. Clint said
> that he hopes to work in this in the next year./
>
Section 4.2.1
<https://github.com/cabforum/servercert/blob/main/docs/BR.md#421-performing-identification-and-authentication-functions>
of the BRs states that:
> For validation of Domain Names and IP Addresses according to Section
> 3.2.2.4 and 3.2.2.5, any reused data, document, or completed
> validation MUST be obtained no more than 398 days prior to issuing the
> Certificate
Section 7.1.2.5.2
<https://github.com/cabforum/servercert/blob/main/docs/BR.md#71252-technically-constrained-tls-subordinate-ca-name-constraints>
states for dNSName and iPAddress that:
> The CA MUST confirm that the Applicant has registered the |dNSName| or
> has been authorized by the domain registrant to act on the
> registrant's behalf. See Section 3.2.2.4
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#3224-validation-of-domain-authorization-or-control>.
> The CA MUST confirm that the Applicant has been assigned the
> |iPAddress| range or has been authorized by the assigner to act on the
> asignee's behalf. See Section 3.2.2.5
> <https://github.com/cabforum/servercert/blob/main/docs/BR.md#3225-authentication-for-an-ip-address>.
These sections are linked together. My reading of these requirements is
that a CA that issues a Technically Constrained TLS SubCA must
re-validate the Domain Namespace every 398 days. In fact, the only way
to do this is by using the 3.2.2.4 methods that are eligible for the
issuance of wildcard certificates. Perhaps the last part is not very
clearly stated but the re-validation should be clear.
The tricky part is with the IP Address space because the methods
currently defined in 3.2.2.5 do not all guarantee the control of an
entire IP space. We could do some work in 3.2.2.5 to explicitly call out
the methods that are eligible for IP space validation just like we did
with the Wildcard Domain Name validation.
Thanks,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20231107/3c7e3969/attachment.html>
More information about the Validation
mailing list