Interaction of TBR 4.2.1 and EVG 3.2.2.14.2 #600
Description
The language of EVG 3.2.2.14.2 indicates that a CA may reissue an EV TLS certificate based on a previously issued certificate.
This is, in itself, problematic as the section does not prohibit this reissuance if the SANs included in the certificate are different nor does it stipulate the validation of the prior certificate needs to have been completed by the CA issuing the new certificate. Normally this wouldn't be an issue as other sections of the requirements have stipulations preventing such misissuance, however this section appears as a relatively stand-alone carveout of a unique process which is allowed despite it otherwise conflicting with requirements which must be met for certificate issuance.
One such example is the requirements of Section 4.2.1 in the TBRs, which indicate that "In no case may a prior validation be reused if any data or document used in the prior validation was obtained more than the maximum time permitted for reuse of the data or document prior to issuing the Certificate."
Despite this clear language, it appears that EVG 3.2.2.14.2 allows for a CA to ignore the maximum time permitted for reuse of validation data as it instead relies on a prior certificate (further reinforced by EVG 3.2.2.14.3 explicitly stating that certificates issued under 3.2.2.14.2 do not have the same maximum validation data reuse restrictions).
Both Sections 3.2.2.14.1 and 3.2.2.14.2 of the EVGs seem to be inconsistent with current expectations for validation data reuse conditions and timeframes, especially in regards to the intersection with requirements of the TBRs.