[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days
Ryan Sleevi
sleevi at google.com
Sat Feb 6 16:58:41 UTC 2021
I'm curious if you could explain why it doesn't seem realistic. Given the
data provided, it seems eminently and readily achievable.
Since this only applies to reuse of domain/IP address validation, it seems
like we can look at a shorter period, since as noted in the past, this data
is subject to regular change, and thus needs regular re-validation. As work
such as BygoneSSL shows, simply relying on "domain registrations are a
year" is not sufficient justification, since domain control regularly
changes (e.g. migration of Cloud providers)
On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> I am still interested in passing a CABF SC ballot to resolve this issue. I
> originally proposed an implementation date of July 1, 2021, which does not
> seem realistic now. One CA has indicated that they would endorse such a
> ballot if they had a year to work it through with their customers.
> Thoughts?
> Thanks,
> Ben
>
> On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> I am loath to create this thread and to have two simultaneous discussions
>> on the same topic in two different fora, but I want to see if the
>> CA/Browser Forum is willing to incorporate substantially the same 398-day
>> policy, as discussed below, in its Baseline Requirements and EV Guidelines.
>>
>> On the Mozilla Dev Security Policy (mdsp) list (
>> https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
>> and in the Mozilla policy issues list on GitHub (
>> https://github.com/mozilla/pkipolicy/issues/206), Mozilla is considering
>> amending subsection 5 of section 2.1 of the Mozilla Root Store Policy
>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
>> to reduce the reuse of the validation of DNS Names and IP addresses to 398
>> days.
>>
>> Currently, Mozilla is looking at making this requirement effective as of
>> July 1, 2021, with some type of phase-in period, to-be-determined.
>>
>> I intend to draft a ballot that would accomplish that same goal within BR
>> section 4.2.1, and elsewhere as might be necessary in the Baseline
>> Requirements and EV Guidelines.
>>
>> To prime the discussion here, one issue discussed on the mdsp list is the
>> phase-in, if any, of this 398-day requirement. I have suggested that
>> sunsetting 825-day DNS/IP validations through 2023 is too long, given the
>> validation methods now available per BR 3.2.2.4 and 3.2.2.5. Would it be
>> simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
>> older than 398 days?
>>
>>
>>
>>
>> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210206/d5fe3f94/attachment.html>
More information about the Servercert-wg
mailing list