Open sleevi opened 2 years ago
Discussed at 11/2/23 Validation subcommittee meeting. Clint said that this is on Apple’s backlog. In particular clarifying that a domain name in a technically constrained subCA needs to be revalidated on the same cadence as any other domain name. Clint said that he hopes to work in this in the next year.
There's some interesting interplays for domain validation periods worth clarifying.
Section 4.2.1 limits the reuse of domain validation documents to 398 days prior to issuing a certificate, as of 2021-10-01, which limits which domains can appear within the Subject Alt Name. The validity period for certificates is similarly fixed, by Section 6.3.2, thus ensuring that the upper bound of a "stale" domain name validation is (cert lifetime + cert reuse period - 1 second); ensuring that at least every 796 days, all domain names appearing within a certificate have been revalidated.
Section 1.3.2 of the BRs https://github.com/cabforum/servercert/blob/cda0f92ee70121fd5d692685b97ebb6669c74fb7/docs/BR.md#L181-L201 permits CAs the use of a "verified Domain Namespace" for Enterprise RAs. An Enterprise RA is exempted from an audit report normal for Delegated Third Parties by Section 8.4 https://github.com/cabforum/servercert/blob/cda0f92ee70121fd5d692685b97ebb6669c74fb7/docs/BR.md#L2349
Section 7.1.5 of the BRs https://github.com/cabforum/servercert/blob/cda0f92ee70121fd5d692685b97ebb6669c74fb7/docs/BR.md#L2171-L2172 defines the requirements for a Technically Constrained Subordinate CA Certificate, including a requirement to enumerate the verified Domain Namespace(s) for the TCSC's
permittedSubtrees
This opens a few questions:
permittedSubtrees
, but if there is no CA obligation to validate that data remains correct, this seems to be an issue.Possible (and simple) solutions:
dNSName
oriPAddress
constraintsLonger term, this may require a more careful rethinking of technically constrained subordinate CA certificates, primarily those used for TLS, such as not exempting from the audit requirements, and if the validity period is still allowed to exceed that of Subscriber Certificates, an obligation for regular re-validation in line with the domain reuse period (e.g. every 30 days)