[Servercert-wg] [EXTERNAL] Reducing Domain/IP Address Validation Reuse to 398 Days

Bruce Morton Bruce.Morton at entrust.com
Thu Dec 3 22:02:05 UTC 2020

Hi Ben,

I am thinking that solution could be that effective 1 July 2021, all new verifications could be reused for 398-days AND all previous verifications with reuse expiry periods greater than 398-days  would be reduced to 398-days of reuse. This would remove of 825-days of reuse and also allow the CAs 398-days to re-verify domains. Re-verification is important when the CA provides a service based on pre-validated data. The proposal would also mean that the full solution would be migrated in early August 2022.

Thanks, Bruce.

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ben Wilson via Servercert-wg
Sent: Wednesday, December 2, 2020 4:55 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL][Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
I am loath to create this thread and to have two simultaneous discussions on the same topic in two different fora, but I want to see if the CA/Browser Forum is willing to incorporate substantially the same 398-day policy, as discussed below, in its Baseline Requirements and EV Guidelines.

On the Mozilla Dev Security Policy (mdsp) list (https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ) and in the Mozilla policy issues list on GitHub (https://github.com/mozilla/pkipolicy/issues/206), Mozilla is considering amending subsection 5 of section 2.1 of the Mozilla Root Store Policy<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations> to reduce the reuse of the validation of DNS Names and IP addresses to 398 days.

Currently, Mozilla is looking at making this requirement effective as of July 1, 2021, with some type of phase-in period, to-be-determined.

I intend to draft a ballot that would accomplish that same goal within BR section 4.2.1, and elsewhere as might be necessary in the Baseline Requirements and EV Guidelines.

To prime the discussion here, one issue discussed on the mdsp list is the phase-in, if any, of this 398-day requirement. I have suggested that sunsetting 825-day DNS/IP validations through 2023 is too long, given the validation methods now available per BR and  Would it be simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations older than 398 days?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201203/47ee0350/attachment.html>

More information about the Servercert-wg mailing list