CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 15 – Certificate Renewal

Ballot 15 – Certificate Renewal

Ballot 15 – Certificate Renewal (Passed Unanimously)

Motion

Nick Hales has made the following motion, and Bruce Morton and Tony Berman have endorsed it:

Motion begins

The Guidelines should be amended by the following erratum.

Erratum begins

Replace this paragraph from Section 8 (b)

  1. Maximum Validity Period

(b) For Validated Data the age of validated data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:

(1) Legal existence and identity – one year;

(2) Assumed name – one year;

(3) Address of Place of Business – one year, but thereafter data MAY be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;

(4) Telephone number for Place of Business – one year;

(5) Bank account verification – one year;

(6) Domain name – one year;

(7) Identity and authority of Certificate Approver – one year, unless a contract is in place between the CA and Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract MAY use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.

With

  1. Maximum Validity Period

(b) For Validated Data the age of validated data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:

(1) Legal existence and identity – thirteen months;

(2) Assumed name – thirteen months;

(3) Address of Place of Business – thirteen months, but thereafter data MAY be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;

(4) Telephone number for Place of Business – thirteen months;

(5) Bank account verification – thirteen months;

(6) Domain name – thirteen months;

(7) Identity and authority of Certificate Approver – thirteen months, unless a contract is in place between the CA and Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract MAY use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.

Add the following paragraph as Section 22(d)(3)

22(d)(3) – The CA MAY rely on a verified Confirming Person to confirm their own contact information: email address, telephone number, and facsimile number. The CA MAY rely on this verified contact information for future correspondence with the Confirming Person if:

  1. The domain of the e-mail address is owned by the Applicant and is the Confirming Person’s own e-mail address and not a group e-mail alias,

  2. The Confirming Person’s telephone/fax number is verified by the CA to be a telephone number that is part of the organization’s telephone system, and is not the personal phone number for the person.

Replace this paragraph from Section 25

  1. Certificate Renewal Verification Requirements

Before renewing an EV Certificate, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the renewal request is properly authorized by Applicant and that the information in the EV Certificate is still accurate and valid.

With

  1. EV Certificate Renewal Verification Requirements

(a) Validation for Renewal Requests. In conjunction with the EV Certificate Renewal process, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the renewal request is properly authorized by Applicant and that the information in the EV Certificate is still accurate and valid.

(b) Exceptions. Notwithstanding the requirements set forth in Section 33(b) (Use of Pre-Existing Information or Documentation) and Section 8 (Maximum Validity Period), a CA, when performing the authentication and verification tasks for EV Certificate Renewal MAY:

(1) EV Certificate previously issued by the CA:

(i) Rely on its prior authentication and verification of:

(a) A Principal Individual of a Business Entity under Section 14(b)(4) if the Principal Individual is the same as the Principal Individual verified by the CA in connection with the previously issued EV Certificate,

(b) Applicant’s Place of Business under Section 16(a),

(c) The verification of telephone number of Applicant’s Place of Business required by Section 16(b), but still MUST perform the verification required by Section 16(b)(2)(a),

(d) Applicant’s Operational Existence under Section 17,

(e) The name, title, and authority of the Contract Signer, Certificate Approver, and Certificate Requester under Section 19, except where a contract is in place between the CA and Applicant that specifies a specific term for the authority of the Contract Signer, and/or the Certificate Approver, and/or Certificate Requester in which case, the term specified in such contract will control,

(f) The prior verification of the email address used by the CA for independent confirmation from applicant under Section 22(d)(1)(B)(ii).

(ii) Rely on prior Verified Legal/Accountant Opinion that established:

(a) Applicant’s exclusive right to use the specified domain name under Section 18 (a)(b)(2)(1) & Section 18 (a)(b)(2)(1)(B), provided that the CA verifies that the whois record still shows the same registrant as indicated when the CA received the prior Verified Legal Opinion,

(b) Verification that Applicant is aware that it has exclusive control of the domain name, under Section 18 (a)(b)(3).

Add the following Definition to the Definition section:

EV Certificate Renewal. The process whereby an Applicant who has a valid unexpired and non-revoked EV certificate makes application, to the CA that issued the original certificate, for a newly issued EV certificate for the same organizational and domain name prior to the expiration of the applicant’s existing EV Certificate.

Erratum ends

Motion ends

The ballot review period comes into effect at 1700 EDT on (Friday) 11 July 2008, and will close at 1700EDT on (Friday) 18 July 2008. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 1700 EDT on (Friday) 25 July 2008.

Votes must be cast by ‘reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).