The Baseline Requirements, Section 4.9.1.1, requires that the CA revoke if: 6. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);
The Baseline Requirements, Section 9.6.3, requires that the Subscriber Agreement imposed upon Subscribers must include: 5. Reporting and Revocation: An obligation and warranty to: (a) promptly request revocation of the Certificate, and cease using it and its associated Private Key, if there is any actual or suspected misuse or compromise of the Subscriber’s Private Key associated with the Public Key included in the Certificate, and (b) promptly request revocation of the Certificate, and cease using it, if any information in the Certificate is or becomes incorrect or inaccurate. In order to do something as you propose, it must be possible to determine the domain registration period. How do you propose to do that consistently for all domains? (It's not actually available consistently). On Thu, Jan 11, 2018 at 5:56 PM, James Burton via Public < [email protected]> wrote: > Shouldn't we start restricting the certificate lifetime to domain > registration period if the certificate expiry date is greater than domain > registration period? > > > > _______________________________________________ > Public mailing list > [email protected] > https://cabforum.org/mailman/listinfo/public > >
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
