<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
Ben,<br>
<br>
HARICA will endorse shortening the re-use period for Domain Name and
IP Address Validation to 398 days.<br>
<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 8/2/2021 7:54 μ.μ., Ben Wilson via
Servercert-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0100017782c7bb0e-aa038cae-abdb-46ef-ab18-5911aa850ef6-000000@email.amazonses.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">It's doable - but I'd like to see if anyone wants
to endorse a ballot here to make the necessary modifications to
section 4.2.1, or whether I assume not and just focus on the
Mozilla Root Store Policy Issue # 206. <br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, Feb 6, 2021 at 9:59 AM
Ryan Sleevi <<a href="mailto:sleevi@google.com"
moz-do-not-send="true">sleevi@google.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">I'm curious if you could explain why it doesn't
seem realistic. Given the data provided, it seems eminently
and readily achievable.
<div><br>
</div>
<div>Since this only applies to reuse of domain/IP address
validation, it seems like we can look at a shorter period,
since as noted in the past, this data is subject to
regular change, and thus needs regular re-validation. As
work such as BygoneSSL shows, simply relying on "domain
registrations are a year" is not sufficient justification,
since domain control regularly changes (e.g. migration of
Cloud providers)</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Feb 5, 2021 at
7:07 PM Ben Wilson via Servercert-wg <<a
href="mailto:servercert-wg@cabforum.org" target="_blank"
moz-do-not-send="true">servercert-wg@cabforum.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>I am still interested in passing a CABF SC ballot
to resolve this issue. I originally proposed an
implementation date of July 1, 2021, which does not
seem realistic now. One CA has indicated that they
would endorse such a ballot if they had a year to work
it through with their customers.<br>
</div>
<div>Thoughts?</div>
<div>Thanks,</div>
<div>Ben<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Dec 2, 2020 at
2:55 PM Ben Wilson <<a
href="mailto:bwilson@mozilla.com" target="_blank"
moz-do-not-send="true">bwilson@mozilla.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>I am loath to create this thread and to have
two simultaneous discussions on the same topic in
two different fora, but I want to see if the
CA/Browser Forum is willing to incorporate
substantially the same 398-day policy, as
discussed below, in its Baseline Requirements and
EV Guidelines. <br>
</div>
<div><br>
</div>
<div>On the Mozilla Dev Security Policy (mdsp) list
(<a
href="https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ"
target="_blank" moz-do-not-send="true">https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ</a>)
and in the Mozilla policy issues list on GitHub (<a
href="https://github.com/mozilla/pkipolicy/issues/206" target="_blank"
moz-do-not-send="true">https://github.com/mozilla/pkipolicy/issues/206</a>),
Mozilla is considering amending subsection 5 of <a
href="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations"
target="_blank" moz-do-not-send="true">section
2.1 of the Mozilla Root Store Policy</a> to
reduce the reuse of the validation of DNS Names
and IP addresses to 398 days.</div>
<div><br>
</div>
<div>Currently, Mozilla is looking at making this
requirement effective as of July 1, 2021, with
some type of phase-in period, to-be-determined.<br>
</div>
<div><br>
</div>
<div>I intend to draft a ballot that would
accomplish that same goal within BR section 4.2.1,
and elsewhere as might be necessary in the
Baseline Requirements and EV Guidelines. <br>
</div>
<div><br>
</div>
<div>To prime the discussion here, one issue
discussed on the mdsp list is the phase-in, if
any, of this 398-day requirement. I have suggested
that sunsetting 825-day DNS/IP validations through
2023 is too long, given the validation methods now
available per BR 3.2.2.4 and 3.2.2.5. Would it be
simpler just to prohibit, as of 7/1/2021, any
reuse of DNS/IP validations older than 398 days? <br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org"
target="_blank" moz-do-not-send="true">Servercert-wg@cabforum.org</a><br>
<a
href="https://lists.cabforum.org/mailman/listinfo/servercert-wg"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Servercert-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Servercert-wg@cabforum.org">Servercert-wg@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/servercert-wg">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a>
</pre>
</blockquote>
<br>
</body>
</html>