[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Dec 3 10:51:42 UTC 2020

On 2/12/2020 11:55 μ.μ., Ben Wilson via Servercert-wg wrote:
> I am loath to create this thread and to have two simultaneous 
> discussions on the same topic in two different fora, but I want to see 
> if the CA/Browser Forum is willing to incorporate substantially the 
> same 398-day policy, as discussed below, in its Baseline Requirements 
> and EV Guidelines.
> On the Mozilla Dev Security Policy (mdsp) list 
> (https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ 
> <https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ>) 
> and in the Mozilla policy issues list on GitHub 
> (https://github.com/mozilla/pkipolicy/issues/206 
> <https://github.com/mozilla/pkipolicy/issues/206>), Mozilla is 
> considering amending subsection 5 of section 2.1 of the Mozilla Root 
> Store Policy 
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations> 
> to reduce the reuse of the validation of DNS Names and IP addresses to 
> 398 days.
> Currently, Mozilla is looking at making this requirement effective as 
> of July 1, 2021, with some type of phase-in period, to-be-determined.
> I intend to draft a ballot that would accomplish that same goal within 
> BR section 4.2.1, and elsewhere as might be necessary in the Baseline 
> Requirements and EV Guidelines.
> To prime the discussion here, one issue discussed on the mdsp list is 
> the phase-in, if any, of this 398-day requirement. I have suggested 
> that sunsetting 825-day DNS/IP validations through 2023 is too long, 
> given the validation methods now available per BR and 
>  Would it be simpler just to prohibit, as of 7/1/2021, any 
> reuse of DNS/IP validations older than 398 days?

HARICA supports reducing the Domain Validation reuse period to 398 days. 
We supported this during the discussion for ballot SC22 as well.

The recent discussion thread in the validation subcommittee 
to limit all "web site change" Domain Validation methods only for FQDNs 
will create some re-validation challenges and difficulties so we need to 
take that into consideration.

The proposal to dismiss validation information older than 398 days 
starting 2021-07-01 is also reasonable.


> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201203/be6f8c8c/attachment.html>

More information about the Servercert-wg mailing list