[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Ben Wilson bwilson at mozilla.com
Mon Feb 8 17:54:07 UTC 2021


It's doable - but I'd like to see if anyone wants to endorse a ballot here
to make the necessary modifications to section 4.2.1, or whether I assume
not and just focus on the Mozilla Root Store Policy Issue # 206.

On Sat, Feb 6, 2021 at 9:59 AM Ryan Sleevi <sleevi at google.com> wrote:

> I'm curious if you could explain why it doesn't seem realistic. Given the
> data provided, it seems eminently and readily achievable.
>
> Since this only applies to reuse of domain/IP address validation, it seems
> like we can look at a shorter period, since as noted in the past, this data
> is subject to regular change, and thus needs regular re-validation. As work
> such as BygoneSSL shows, simply relying on "domain registrations are a
> year" is not sufficient justification, since domain control regularly
> changes (e.g. migration of Cloud providers)
>
> On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> I am still interested in passing a CABF SC ballot to resolve this issue.
>> I originally proposed an implementation date of July 1, 2021, which does
>> not seem realistic now. One CA has indicated that they would endorse such a
>> ballot if they had a year to work it through with their customers.
>> Thoughts?
>> Thanks,
>> Ben
>>
>> On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>
>>> I am loath to create this thread and to have two simultaneous
>>> discussions on the same topic in two different fora, but I want to see if
>>> the CA/Browser Forum is willing to incorporate substantially the same
>>> 398-day policy, as discussed below, in its Baseline Requirements and EV
>>> Guidelines.
>>>
>>> On the Mozilla Dev Security Policy (mdsp) list (
>>> https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
>>> and in the Mozilla policy issues list on GitHub (
>>> https://github.com/mozilla/pkipolicy/issues/206), Mozilla is
>>> considering amending subsection 5 of section 2.1 of the Mozilla Root
>>> Store Policy
>>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
>>> to reduce the reuse of the validation of DNS Names and IP addresses to 398
>>> days.
>>>
>>> Currently, Mozilla is looking at making this requirement effective as of
>>> July 1, 2021, with some type of phase-in period, to-be-determined.
>>>
>>> I intend to draft a ballot that would accomplish that same goal within
>>> BR section 4.2.1, and elsewhere as might be necessary in the Baseline
>>> Requirements and EV Guidelines.
>>>
>>> To prime the discussion here, one issue discussed on the mdsp list is
>>> the phase-in, if any, of this 398-day requirement. I have suggested that
>>> sunsetting 825-day DNS/IP validations through 2023 is too long, given the
>>> validation methods now available per BR 3.2.2.4 and 3.2.2.5.  Would it be
>>> simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
>>> older than 398 days?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210208/002ff02b/attachment.html>


More information about the Servercert-wg mailing list