[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Dec 3 10:51:42 UTC 2020
On 2/12/2020 11:55 μ.μ., Ben Wilson via Servercert-wg wrote:
> I am loath to create this thread and to have two simultaneous
> discussions on the same topic in two different fora, but I want to see
> if the CA/Browser Forum is willing to incorporate substantially the
> same 398-day policy, as discussed below, in its Baseline Requirements
> and EV Guidelines.
>
> On the Mozilla Dev Security Policy (mdsp) list
> (https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ
> <https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ>)
> and in the Mozilla policy issues list on GitHub
> (https://github.com/mozilla/pkipolicy/issues/206
> <https://github.com/mozilla/pkipolicy/issues/206>), Mozilla is
> considering amending subsection 5 of section 2.1 of the Mozilla Root
> Store Policy
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
> to reduce the reuse of the validation of DNS Names and IP addresses to
> 398 days.
>
> Currently, Mozilla is looking at making this requirement effective as
> of July 1, 2021, with some type of phase-in period, to-be-determined.
>
> I intend to draft a ballot that would accomplish that same goal within
> BR section 4.2.1, and elsewhere as might be necessary in the Baseline
> Requirements and EV Guidelines.
>
> To prime the discussion here, one issue discussed on the mdsp list is
> the phase-in, if any, of this 398-day requirement. I have suggested
> that sunsetting 825-day DNS/IP validations through 2023 is too long,
> given the validation methods now available per BR 3.2.2.4 and
> 3.2.2.5. Would it be simpler just to prohibit, as of 7/1/2021, any
> reuse of DNS/IP validations older than 398 days?
>
>
HARICA supports reducing the Domain Validation reuse period to 398 days.
We supported this during the discussion for ballot SC22 as well.
The recent discussion thread in the validation subcommittee
<https://lists.cabforum.org/pipermail/validation/2020-December/001607.html>
to limit all "web site change" Domain Validation methods only for FQDNs
will create some re-validation challenges and difficulties so we need to
take that into consideration.
The proposal to dismiss validation information older than 398 days
starting 2021-07-01 is also reasonable.
Dimitris.
>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201203/be6f8c8c/attachment.html>
More information about the Servercert-wg
mailing list