<div dir="ltr"><div>I am still interested in passing a CABF SC ballot to resolve this issue. I originally proposed an implementation date of July 1, 2021, which does not seem realistic now. One CA has indicated that they would endorse such a ballot if they had a year to work it through with their customers.<br></div><div>Thoughts?</div><div>Thanks,</div><div>Ben<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <<a href="mailto:bwilson@mozilla.com">bwilson@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I am loath to create this thread and to have two simultaneous discussions on the same topic in two different fora, but I want to see if the CA/Browser Forum is willing to incorporate substantially the same 398-day policy, as discussed below, in its Baseline Requirements and EV Guidelines. <br></div><div><br></div><div>On the Mozilla Dev Security Policy (mdsp) list (<a href="https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ" target="_blank">https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ</a>) and in the Mozilla policy issues list on GitHub (<a href="https://github.com/mozilla/pkipolicy/issues/206" target="_blank">https://github.com/mozilla/pkipolicy/issues/206</a>), Mozilla is considering amending subsection 5 of <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations" target="_blank">section 2.1 of the Mozilla Root Store Policy</a> to reduce the reuse of the validation of DNS Names and IP addresses to 398 days.</div><div><br></div><div>Currently, Mozilla is looking at making this requirement effective as of July 1, 2021, with some type of phase-in period, to-be-determined.<br></div><div><br></div><div>I intend to draft a ballot that would accomplish that same goal within BR section 4.2.1, and elsewhere as might be necessary in the Baseline Requirements and EV Guidelines. <br></div><div><br></div><div>To prime the discussion here, one issue discussed on the mdsp list is the phase-in, if any, of this 398-day requirement. I have suggested that sunsetting 825-day DNS/IP validations through 2023 is too long, given the validation methods now available per BR 3.2.2.4 and 3.2.2.5. Would it be simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations older than 398 days? <br></div><div><br></div><div><br></div><div><br></div><div><br></div></div>
</blockquote></div>