<div dir="ltr">It's doable - but I'd like to see if anyone wants to endorse a ballot here to make the necessary modifications to section 4.2.1, or whether I assume not and just focus on the Mozilla Root Store Policy Issue # 206. <br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Feb 6, 2021 at 9:59 AM Ryan Sleevi <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I'm curious if you could explain why it doesn't seem realistic. Given the data provided, it seems eminently and readily achievable. <div><br></div><div>Since this only applies to reuse of domain/IP address validation, it seems like we can look at a shorter period, since as noted in the past, this data is subject to regular change, and thus needs regular re-validation. As work such as BygoneSSL shows, simply relying on "domain registrations are a year" is not sufficient justification, since domain control regularly changes (e.g. migration of Cloud providers)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I am still interested in passing a CABF SC ballot to resolve this issue. I originally proposed an implementation date of July 1, 2021, which does not seem realistic now. One CA has indicated that they would endorse such a ballot if they had a year to work it through with their customers.<br></div><div>Thoughts?</div><div>Thanks,</div><div>Ben<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <<a href="mailto:bwilson@mozilla.com" target="_blank">bwilson@mozilla.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I am loath to create this thread and to have two simultaneous discussions on the same topic in two different fora, but I want to see if the CA/Browser Forum is willing to incorporate substantially the same 398-day policy, as discussed below, in its Baseline Requirements and EV Guidelines. <br></div><div><br></div><div>On the Mozilla Dev Security Policy (mdsp) list (<a href="https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ" target="_blank">https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ</a>) and in the Mozilla policy issues list on GitHub (<a href="https://github.com/mozilla/pkipolicy/issues/206" target="_blank">https://github.com/mozilla/pkipolicy/issues/206</a>), Mozilla is considering amending subsection 5 of <a href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations" target="_blank">section 2.1 of the Mozilla Root Store Policy</a> to reduce the reuse of the validation of DNS Names and IP addresses to 398 days.</div><div><br></div><div>Currently, Mozilla is looking at making this requirement effective as of July 1, 2021, with some type of phase-in period, to-be-determined.<br></div><div><br></div><div>I intend to draft a ballot that would accomplish that same goal within BR section 4.2.1, and elsewhere as might be necessary in the Baseline Requirements and EV Guidelines. <br></div><div><br></div><div>To prime the discussion here, one issue discussed on the mdsp list is the phase-in, if any, of this 398-day requirement. I have suggested that sunsetting 825-day DNS/IP validations through 2023 is too long, given the validation methods now available per BR 3.2.2.4 and 3.2.2.5. Would it be simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations older than 398 days? <br></div><div><br></div><div><br></div><div><br></div><div><br></div></div>
</blockquote></div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote></div>
</blockquote></div>