[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

[Ben Wilson]

I am loath to create this thread and to have two simultaneous discussions
on the same topic in two different fora, but I want to see if the
CA/Browser Forum is willing to incorporate substantially the same 398-day
policy, as discussed below, in its Baseline Requirements and EV Guidelines.

On the Mozilla Dev Security Policy (mdsp) list (
https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
and in the Mozilla policy issues list on GitHub (
https://github.com/mozilla/pkipolicy/issues/206), Mozilla is considering
amending subsection 5 of section 2.1 of the Mozilla Root Store Policy
<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
to reduce the reuse of the validation of DNS Names and IP addresses to 398
days.

Currently, Mozilla is looking at making this requirement effective as of
July 1, 2021, with some type of phase-in period, to-be-determined.

I intend to draft a ballot that would accomplish that same goal within BR
section 4.2.1, and elsewhere as might be necessary in the Baseline
Requirements and EV Guidelines.

To prime the discussion here, one issue discussed on the mdsp list is the
phase-in, if any, of this 398-day requirement. I have suggested that
sunsetting 825-day DNS/IP validations through 2023 is too long, given the
validation methods now available per BR 3.2.2.4 and 3.2.2.5.  Would it be
simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
older than 398 days?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201202/450aeeba/attachment.html>