SC-102 alternative: align EV domain validation reuse and validity with the Baseline Requirements#669
Open
dustinhollenback-apple wants to merge 3 commits into
Open
Conversation
…h the Baseline Requirements ## Summary This is an alternative draft of SC-102. Where the current draft (cabforum#661) adds an EV-specific requirement to re-confirm that a domain remains registered to the same Legal Entity, this version instead aligns EV domain re-validation directly with the Baseline Requirements and removes hardcoded values that have become stale. The EV Guidelines currently: - require CAs to re-check WHOIS or RDAP registration data when revalidating domain names for existing subscribers (Section 3.2.2.14.1); - hardcode "398 days" as the Domain Name data reuse period (Section 3.2.2.14.3); and - hardcode an EV certificate validity ceiling of 398 days plus a recommended twelve-month maximum (Section 6.3.2). With WHOIS-based validation sunsetting (SC-080) and the Baseline Requirements now carrying a schedule that reduces both validity and data reuse periods over time (SC-081), these provisions are out of date. The 398-day validity ceiling and the 398-day domain reuse period are both already superseded by the Baseline Requirements (200 days today, reducing further on the published schedule). Read in isolation they suggest, incorrectly, that EV certificates may have longer lifetimes or longer data reuse than other TLS certificates. An EV certificate is a TLS Subscriber Certificate and is bound by the BR limits. ## Changes This ballot makes four changes: 1. Section 3.2.2.14.1(6): removes the WHOIS/RDAP same-registrant test. The Applicant's right to use the Domain Name is re-verified under Section 3.2.2.7 (which follows BR Section 3.2.2.4), at the data reuse cadence set in Section 3.2.2.14.3(1)(F). 2. Section 3.2.2.14.3(1)(F): replaces the hardcoded "398 days" Domain Name reuse period with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG tracks the planned reductions automatically. 3. Section 3.2.2.14.3(2): corrects the "398-day period" sentence, which is no longer accurate for every item once item (F) references the Baseline Requirements. 4. Section 6.3.2: replaces the stale EV validity language with a reference to Section 6.3.2 of the Baseline Requirements. The identity-data reuse periods in Section 3.2.2.14.3(1)(A) through (E) and (G) are unchanged; they remain at 398 days, which matches the BR Subject Identity Information reuse period.
Minor additional corrections.
|
Very clean! Like it a lot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This is an alternative to #661. It lets the Baseline Requirements govern EV domain re-validation rather than adding the EV-specific same-entity check that #661 proposes. It also removes hardcoded numbers in the EVG that are now wrong.
The EV Guidelines today:
WHOIS-based validation is being retired (SC-080), and SC-081 put certificate validity and data reuse periods on a schedule that shrinks them over time. The two "398 day" figures are already wrong: the Baseline Requirements cap both validity and Domain Name reuse at 200 days today, and lower on the published schedule. An EV certificate is a TLS Subscriber Certificate, so it is already bound by those limits, and the separate EVG numbers only invite confusion.
Changes
This ballot makes four changes:
Items (A) through (E) and (G) in Section 3.2.2.14.3(1) stay at 398 days, which matches the Baseline Requirements Subject Identity Information reuse period.