On Wednesday, March 11, 2020 at 4:11:56 PM UTC-7, Kathleen Wilson wrote: > To start with, it is common for a domain name to be purchased for one > year. A certificate owner that was able to prove ownership/control of > the domain name last year might not have renewed the domain name. So why > should they be able to get a renewal cert without having that re-checked?
I thought Domain control must be validated each time, or at least that use to be the case (as I remember it from a long time ago). So I went looking for the particular text and noted it was changed in BR 1.5.2. BR 1.5.1 section 3.2.2.4, paragraph 2 states, "The CA SHALL confirm that, as of the date the Certificate issues...". BR 1.5.2 section 3.2.2.4, paragraph 2 states, "The CA SHALL confirm that prior to issuance..." I've always interpreted 3.2.2.4's "as of the date" to mean that regardless of the reuse allowance, domain validate must be performed every single time, which made a lot of sense. Why ballot 190 changed this is a mystery to me. Thanks, Santhan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
