From dcf36c4d7e34f8d51366ad4ff1bcb96bb8726b8f Mon Sep 17 00:00:00 2001
From: Dustin Hollenback - Apple <dhollenback@apple.com>
Date: Wed, 10 Jun 2026 16:48:22 -0700
Subject: [PATCH 1/3] SC-102 alternative: align EV domain validation reuse and
 validity with the Baseline Requirements

## Summary

This is an alternative draft of SC-102. Where the current draft (#661) adds an EV-specific requirement to re-confirm that a domain remains registered to the same Legal Entity, this version instead aligns EV domain re-validation directly with the Baseline Requirements and removes hardcoded values that have become stale.

The EV Guidelines currently:

- require CAs to re-check WHOIS or RDAP registration data when revalidating domain names for existing subscribers (Section 3.2.2.14.1);
- hardcode "398 days" as the Domain Name data reuse period (Section 3.2.2.14.3); and
- hardcode an EV certificate validity ceiling of 398 days plus a recommended twelve-month maximum (Section 6.3.2).

With WHOIS-based validation sunsetting (SC-080) and the Baseline Requirements now carrying a schedule that reduces both validity and data reuse periods over time (SC-081), these provisions are out of date. The 398-day validity ceiling and the 398-day domain reuse period are both already superseded by the Baseline Requirements (200 days today, reducing further on the published schedule). Read in isolation they suggest, incorrectly, that EV certificates may have longer lifetimes or longer data reuse than other TLS certificates. An EV certificate is a TLS Subscriber Certificate and is bound by the BR limits.

## Changes

This ballot makes four changes:

1. Section 3.2.2.14.1(6): removes the WHOIS/RDAP same-registrant test. The Applicant's right to use the Domain Name is re-verified under Section 3.2.2.7 (which follows BR Section 3.2.2.4), at the data reuse cadence set in Section 3.2.2.14.3(1)(F).
2. Section 3.2.2.14.3(1)(F): replaces the hardcoded "398 days" Domain Name reuse period with a reference to Section 4.2.1 of the Baseline Requirements, so the EVG tracks the planned reductions automatically.
3. Section 3.2.2.14.3(2): corrects the "398-day period" sentence, which is no longer accurate for every item once item (F) references the Baseline Requirements.
4. Section 6.3.2: replaces the stale EV validity language with a reference to Section 6.3.2 of the Baseline Requirements.

The identity-data reuse periods in Section 3.2.2.14.3(1)(A) through (E) and (G) are unchanged; they remain at 398 days, which matches the BR Subject Identity Information reuse period.
---
 docs/EVG.md | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/docs/EVG.md b/docs/EVG.md
index 556dde91..aa2bf983 100644
--- a/docs/EVG.md
+++ b/docs/EVG.md
@@ -935,7 +935,7 @@ If an Applicant has a currently valid EV Certificate issued by the CA, a CA MAY
 3. The Applicant's Verified Method of Communication required by [Section 3.2.2.5](#3225-verified-method-of-communication) but still MUST perform the verification required by [Section 3.2.2.5.2](#32252-acceptable-methods-of-verification) (B);
 4. The Applicant's Operational Existence under [Section 3.2.2.6](#3226-verification-of-applicants-operational-existence);
 5. The Name, Title, Agency and Authority of the Contract Signer, and Certificate Approver, under [Section 3.2.2.8](#3228-verification-of-name-title-and-authority-of-contract-signer-and-certificate-approver); and
-6. The Applicant's right to use the specified Domain Name under [Section 3.2.2.7](#3227-verification-of-applicants-domain-name), provided that the CA verifies that the WHOIS record or RDAP registry data still shows the same registrant as when the CA verified the specified Domain Name for the initial EV Certificate.
+6. The Applicant's right to use the specified Domain Name under [Section 3.2.2.7](#3227-verification-of-applicants-domain-name).
 
 ##### 3.2.2.14.2 Re-issuance Requests
 
@@ -953,12 +953,12 @@ A CA may rely on a previously verified certificate request to issue a replacemen
    C.  Address of Place of Business - 398 days;
    D.  Verified Method of Communication - 398 days;
    E.  Operational existence - 398 days;
-   F.  Domain Name - 398 days;
+   F.  Domain Name - the maximum data reuse period specified for Domain Names in Section 4.2.1 of the Baseline Requirements;
    G.  Name, Title, Agency, and Authority - 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated.
 
-2. The 398-day period set forth above SHALL begin to run on the date the information was collected by the CA.
-3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request).
-4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers).
+1. Each period set forth above SHALL begin to run on the date the relevant information was collected by the CA.
+2. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request).
+3. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers).
 
 ### 3.2.3 Authentication of individual identity
 
@@ -1370,9 +1370,7 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t
 
 ### 6.3.2 Certificate operational periods and key pair usage periods
 
-The Validity Period for an EV Certificate SHALL NOT exceed 398 days.
-
-It is RECOMMENDED that EV Subscriber Certificates have a Maximum Validity Period of twelve months.
+EV Certificates are subject to the Validity Period requirements of [Section 6.3.2](#632-certificate-operational-periods-and-key-pair-usage-periods) of the Baseline Requirements.
 
 ## 6.4 Activation data
 

From 11e1e975956298b270e1b386322a9511da6e05d8 Mon Sep 17 00:00:00 2001
From: Dustin Hollenback - Apple <dhollenback@apple.com>
Date: Wed, 10 Jun 2026 17:10:17 -0700
Subject: [PATCH 2/3] Update EVG document to version 2.0.3

Minor additional corrections.
---
 docs/EVG.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/EVG.md b/docs/EVG.md
index aa2bf983..8a3acfd6 100644
--- a/docs/EVG.md
+++ b/docs/EVG.md
@@ -1,10 +1,10 @@
 ---
 title: Guidelines for the Issuance and Management of Extended Validation Certificates
 
-subtitle: Version 2.0.2
+subtitle: Version 2.0.3
 author:
   - CA/Browser Forum
-date: 4 May, 2026
+date: TBD July, 2026
 copyright: |
   Copyright 2026 CA/Browser Forum
 
@@ -956,9 +956,9 @@ A CA may rely on a previously verified certificate request to issue a replacemen
    F.  Domain Name - the maximum data reuse period specified for Domain Names in Section 4.2.1 of the Baseline Requirements;
    G.  Name, Title, Agency, and Authority - 398 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated.
 
-1. Each period set forth above SHALL begin to run on the date the relevant information was collected by the CA.
-2. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request).
-3. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers).
+2. Each period set forth above SHALL begin to run on the date the relevant information was collected by the CA.
+3. The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under [Section 3.2.2.9](#3229-verification-of-signature-on-subscriber-agreement-and-ev-certificate-requests) and [Section 3.2.2.10](#32210-verification-of-approval-of-ev-certificate-request).
+4. The CA MUST repeat the verification process required in these Guidelines for any information obtained outside the time limits specified above except when permitted otherwise under [Section 3.2.2.14.1](#322141-validation-for-existing-subscribers).
 
 ### 3.2.3 Authentication of individual identity
 
@@ -1370,7 +1370,7 @@ All requirements in Section 6.1.1.1 of the Baseline Requirements apply equally t
 
 ### 6.3.2 Certificate operational periods and key pair usage periods
 
-EV Certificates are subject to the Validity Period requirements of [Section 6.3.2](#632-certificate-operational-periods-and-key-pair-usage-periods) of the Baseline Requirements.
+EV Certificates are subject to the Validity Period requirements of Section 6.3.2 of the Baseline Requirements.
 
 ## 6.4 Activation data
 

From 28777f520309c2ae5561b81e223b34cc9aed93ef Mon Sep 17 00:00:00 2001
From: Dustin Hollenback - Apple <dhollenback@apple.com>
Date: Fri, 12 Jun 2026 15:37:03 -0700
Subject: [PATCH 3/3] Add entry for version 2.0.3 in EVG documentation

---
 docs/EVG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/EVG.md b/docs/EVG.md
index 8a3acfd6..97740244 100644
--- a/docs/EVG.md
+++ b/docs/EVG.md
@@ -86,6 +86,7 @@ These Guidelines do not address the verification of information, or the issuance
 | 2.0.0 | SC65 | Convert EVGs into RFC 3647 format | 2024-03-15 | 2024-05-15 |
 | 2.0.1 | SC72 | Delete except to policyQualifiers in EVGs; align with BRs by making them NOT RECOMMENDED | 2024-04-03 | 2024-05-06 |
 | 2.0.2 | SC95 | Clean-up 2025                                                                            | 2026-02-27 | 2026-05-04 |
+| 2.0.3 | SC102 | Domain Reuse and Validity Alignment | TBD | TBD |
 
 \* Effective Date and Additionally Relevant Compliance Date(s)