<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 2/12/2020 11:55 μ.μ., Ben Wilson via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:010001762573f7b2-aa319264-fb71-4a01-860c-7bc12eaa1b14-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>I am loath to create this thread and to have two
simultaneous discussions on the same topic in two different
fora, but I want to see if the CA/Browser Forum is willing to
incorporate substantially the same 398-day policy, as
discussed below, in its Baseline Requirements and EV
Guidelines. <br>
</div>
<div><br>
</div>
<div>On the Mozilla Dev Security Policy (mdsp) list (<a
href="https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ"
moz-do-not-send="true">https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ</a>)
and in the Mozilla policy issues list on GitHub (<a
href="https://github.com/mozilla/pkipolicy/issues/206"
moz-do-not-send="true">https://github.com/mozilla/pkipolicy/issues/206</a>),
Mozilla is considering amending subsection 5 of <a
href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations"
moz-do-not-send="true">section 2.1 of the Mozilla Root Store
Policy</a> to reduce the reuse of the validation of DNS
Names and IP addresses to 398 days.</div>
<div><br>
</div>
<div>Currently, Mozilla is looking at making this requirement
effective as of July 1, 2021, with some type of phase-in
period, to-be-determined.<br>
</div>
<div><br>
</div>
<div>I intend to draft a ballot that would accomplish that same
goal within BR section 4.2.1, and elsewhere as might be
necessary in the Baseline Requirements and EV Guidelines. <br>
</div>
<div><br>
</div>
<div>To prime the discussion here, one issue discussed on the
mdsp list is the phase-in, if any, of this 398-day
requirement. I have suggested that sunsetting 825-day DNS/IP
validations through 2023 is too long, given the validation
methods now available per BR 3.2.2.4 and 3.2.2.5. Would it be
simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP
validations older than 398 days? <br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote>
<br>
HARICA supports reducing the Domain Validation reuse period to 398
days. We supported this during the discussion for ballot SC22 as
well.<br>
<br>
The recent <a moz-do-not-send="true"
href="https://lists.cabforum.org/pipermail/validation/2020-December/001607.html">discussion
thread in the validation subcommittee</a> to limit all "web site
change" Domain Validation methods only for FQDNs will create some
re-validation challenges and difficulties so we need to take that
into consideration.<br>
<br>
The proposal to dismiss validation information older than 398 days
starting 2021-07-01 is also reasonable. <br>
<br>
<br>
Dimitris.<br>
<br>
<blockquote type="cite"
cite="mid:010001762573f7b2-aa319264-fb71-4a01-860c-7bc12eaa1b14-000000@email.amazonses.com">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>