On Tuesday, February 28, 2017 at 5:49:32 PM UTC+2, Andrew Ayer wrote: > Note that the BRs do not require a domain to exist when a CA issues a > DV/OV certificate for it. The BRs only require that the CA validated > the domain at some point in the 39 months prior to issuance.
Sad to know. Pasting the ballot for future reference: --- 3.2.2.4. Validation of Domain Authorization or Control The CA SHALL confirm that, as of the date the Certificate issues, either the CA or a Delegated Third Party has validated each Fully‐Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below. Completed confirmations of Applicant authority may be valid for the issuance of multiple certificates over time. In all cases, the confirmation must have been initiated within the time period specified in the relevant requirement (such as Section 3.3.1 of this document) prior to certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. --- 3.3.1. Identification and Authentication for Routine Re‐key Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that the CA obtained the data or document from a source specified under Section 3.2 no more than thirty‐nine (39) months prior to issuing the Certificate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy