CA/Browser Forum
Home » Posts » Ballot 49 – New Certificate for Existing Subscriber

Ballot 49 – New Certificate for Existing Subscriber

Ballot 49 – New Certificate for Existing Subscriber (Passed Unanimously)

Motion

Rich Smith made the following motion, endorsed by Ben Wilson and Bruce Morton (note: for a “red-line” version, see email from Rich Smith on 12 July):

Motion begins

EFFECTIVE IMMEDIATELY,

  • Erratum begins A. RENAME the following Sections as follows:

Section 8.3 (Maximum Validity Period) to “8.3 Technical Requirements”

Section 8.3.1 (For EV Certificate) to “8.3.1 Maximum Validity Period For EV Certificate”

Section 10.13 (EV Certificate Renewal Verification Requirements) to “10.13 Requirements for Re-use of Existing Documentation”;

B. Move Section 10.13.2 to Section 10.13.4 to read as follows:

10.13.4 Validation of Re-issuance Requests

A CA may rely on previously verified information to issue a replacement certificate where:

  1. The expiration date of the replacement certificate is the same as the expiration date of the currently valid EV Certificate being replaced, and

  2. The certificate Subject of the Replacement Certificate is the same as the certificate Subject contained in the currently valid EV Certificate.

C. MOVE Section 10.13.1 to Section 10.13.2 and amend it to read as follows:

10.13.2 Validation for Existing Subscribers

In conjunction with an EV Certificate Request placed by an Applicant who is already a customer of the CA, the CA MUST perform all authentication and verification tasks required by these Guidelines to ensure that the request is properly authorized by the Applicant and that the information in the EV Certificate will still be accurate and valid.

D. MOVE Section 8.3.2 to Section 10.13.1(1) so that it reads as follows:

10.13 Requirements for Re-use of Existing Documentation

10.13.1 For Validated Data

(1) The age of validated data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:

(A) Legal existence and identity – thirteen months;

(B) Assumed name – thirteen months;

(C) Address of Place of Business – thirteen months, but thereafter data MAY be refreshed by checking a Qualified Independent Information Source, even where a site visit was originally required;

(D) Telephone number for Place of Business – thirteen months;

(E) Bank account verification – thirteen months;

(F) Domain Name – thirteen months;

(G) Identity and authority of Certificate Approver – thirteen months, unless a contract is in place between the CA and the Applicant that specifies a different term, in which case, the term specified in such contract will control. For example, the contract MAY use terms that allow the assignment of roles that are perpetual until revoked, or until the contract expires or is terminated.

E. RENUMBER Section 8.3.3 (Other Technical Requirements for EV Certificates) to Section 8.3.2;

F. In Section 10.13.3 DELETE the first clause as follows:

10.13.3 Renewal Exceptions

Notwithstanding the requirements set forth in Section 13.3.2 and Section 8.3, when performing the authentication and verification tasks for renewing an EV Certificate that was issued by itself, a CA MAY:

And in Section 10.13.3 INSERT the following replacement clause:

10.13.3 Exceptions

Notwithstanding the requirements set forth in Section 10.13.1 and Section 10.13.2, when performing the authentication and verification tasks for issuing an EV Certificate where the Applicant has a current valid EV Certificate issued by the CA, a CA MAY:

G. MOVE the following Subsections in Section 13.3 (Reuse and Updating Information and Documentation) to the following subsections in Section 10.13.1:

Section 13.3.1 to Section 10.13.1(3) so that it reads as follows:

(3) The CA MAY issue multiple EV Certificates listing the same Subject and based on a single EV Certificate Request, subject to the aging and updating requirements stated above.

Section 13.3.2(1) to Section 10.13.1(4) so that it reads as follows:

(4) Each EV Certificate issued by the CA MUST be supported by a valid current EV Certificate Request and a Subscriber Agreement signed by the appropriate Applicant Representative on behalf of the Applicant or Terms of Use acknowledged by the appropriate Applicant Representative.

Section 13.3.2(2) to Section 10.13.1(2) and AMEND it, so that it reads as follows:

(2) The age of information used by the CA to verify such an EV Certificate Request MUST NOT exceed the Maximum Validity Period for such information set forth above in subsection (1), based on the earlier of the date the information was obtained (e.g., the date of a confirmation phone call) or the date the information was last updated by the QIIS, QGIS, or QTIS (e.g., if an online database was accessed by the CA on July 1, but contained data last updated by the QIIS, QGIS, or QTIS on February 1 of the same year, then the date on which the information was obtained would be considered to be February 1).

Section 13.3.2(3) to Section 10.13.1(5) so that it reads as follows:

(5) In the case of outdated information, the CA MUST repeat the verification processes required in these Guidelines.

H. DELETE Section 13.3 (Reuse and Updating Information and Documentation) and RENUMBER Section 13.4 (Data Security) to Section 13.3 and make subsequent numbering changes to Section 13.3 Data Security accordingly.

  • Erratum ends The ballot review period comes into effect at 2100 UTC on 23 July ’10 and will close at 2100 UTC on 30 July ’10. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 6 Aug ’10.

Votes must be cast by “reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Motion ends

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed

Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.6 - Ballot SMC08 - Aug 29, 2024

This ballot sets a date by which issuance of certificates following the Legacy generation profiles must cease. It also includes the following minor updates:

  • Pins the domain validation procedures to v 2.0.5 of the TLS Baseline Requirements while the ballot activity for multi-perspective validation is concluded, and the SMCWG determines its corresponding course of action;
  • Updates the reference for SmtpUTF8Mailbox from RFC 8398 to RFC 9598; and
  • Small text corrections in the Reference section

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).