[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Ben Wilson bwilson at mozilla.com
Sat Feb 6 00:07:32 UTC 2021


I am still interested in passing a CABF SC ballot to resolve this issue. I
originally proposed an implementation date of July 1, 2021, which does not
seem realistic now. One CA has indicated that they would endorse such a
ballot if they had a year to work it through with their customers.
Thoughts?
Thanks,
Ben

On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com> wrote:

> I am loath to create this thread and to have two simultaneous discussions
> on the same topic in two different fora, but I want to see if the
> CA/Browser Forum is willing to incorporate substantially the same 398-day
> policy, as discussed below, in its Baseline Requirements and EV Guidelines.
>
> On the Mozilla Dev Security Policy (mdsp) list (
> https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
> and in the Mozilla policy issues list on GitHub (
> https://github.com/mozilla/pkipolicy/issues/206), Mozilla is considering
> amending subsection 5 of section 2.1 of the Mozilla Root Store Policy
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
> to reduce the reuse of the validation of DNS Names and IP addresses to 398
> days.
>
> Currently, Mozilla is looking at making this requirement effective as of
> July 1, 2021, with some type of phase-in period, to-be-determined.
>
> I intend to draft a ballot that would accomplish that same goal within BR
> section 4.2.1, and elsewhere as might be necessary in the Baseline
> Requirements and EV Guidelines.
>
> To prime the discussion here, one issue discussed on the mdsp list is the
> phase-in, if any, of this 398-day requirement. I have suggested that
> sunsetting 825-day DNS/IP validations through 2023 is too long, given the
> validation methods now available per BR 3.2.2.4 and 3.2.2.5.  Would it be
> simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
> older than 398 days?
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210205/28f57a4c/attachment.html>


More information about the Servercert-wg mailing list