I sent this two hours ago, but apparently only to Doug. This is another potential alternative that would keep the language close to the rest of the validation rules.
We will face the same issue if and when the reuse of data rules in the EVGL are rewritten to a RFC 3647 format. From: Kirk Hall (RD-US) Sent: Thursday, December 03, 2015 2:32 PM To: 'Doug Beattie' Subject: RE: Age of Certificate Data Doug, I agree with you - but I think we have to find an existing RFC 3647 heading that works (can't make a new one and still be following the RFC 3647 format). I pasted in below the sections we have from RFC 3647 - sadly, they forgot to include re-authentication. Maybe we add a new paragraph at the end of BR 3.2.2 and use the old text. We would support that if someone wants to include in a ballot. Perhaps we add to the upcoming domain validation ballot? 3.2.2. Authentication of Organization and Domain Identity [Existing paragraphs] *** Section [6.3.2] limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section [3.2] to verify certificate information, provide that the CA obtained the data or document from a source specified under Section [3.2] no more than thirty-nine (39) months prior to issuing the Certificate. RFC 3647 3.2 Initial identity validation 3.2.1 Method to prove possession of private key 3.2.2 Authentication of organization identity 3.2.3 Authentication of individual identity 3.2.4 Non-verified subscriber information 3.2.5 Validation of authority 3.2.6 Criteria for interoperation 3.3 Identification and authentication for re-key requests 3.3.1 Identification and authentication for routine re-key 3.3.2 Identification and authentication for re-key after revocation 3.4 Identification and authentication for revocation request From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Doug Beattie Sent: Thursday, December 03, 2015 4:35 AM To: CABFPub Subject: [cabfpub] Age of Certificate Data I might have mentioned this before but ran across it again today. Prior to RFC 3647 format conversion we had this: 11.3 Age of Certificate Data Section 9.4 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 11 to verify certificate information, provide that the CA obtained the data or document from a source specified under Section 11 no more than thirty-nine (39) months prior to issuing the Certificate. But now we have this: 3.3 Identification and authentication for re-key requests 3.3.1 Identification and Authentication for Routine Re-key Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, provided that the CA obtained the data or document from a source specified under Section 3.2 no more than thirty-nine (39) months prior to issuing the Certificate. The re-use of certificate data seems to be limited to routine Re-key requests when before it could be used for any purpose. Can we find a new heading section for this so it's clear we can use it for purposes other than rekey? Maybe a new section, 3.5, for this purpose? <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table>
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
