[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Feb 8 18:07:31 UTC 2021 

Ben,

HARICA will endorse shortening the re-use period for Domain Name and IP 
Address Validation to 398 days.

Dimitris.

On 8/2/2021 7:54 μ.μ., Ben Wilson via Servercert-wg wrote:
> It's doable - but I'd like to see if anyone wants to endorse a ballot 
> here to make the necessary modifications to section 4.2.1, or whether 
> I assume not and just focus on the Mozilla Root Store Policy Issue # 206.
>
> On Sat, Feb 6, 2021 at 9:59 AM Ryan Sleevi <sleevi at google.com 
> <mailto:sleevi at google.com>> wrote:
>
>     I'm curious if you could explain why it doesn't seem realistic.
>     Given the data provided, it seems eminently and readily achievable.
>
>     Since this only applies to reuse of domain/IP address validation,
>     it seems like we can look at a shorter period, since as noted in
>     the past, this data is subject to regular change, and thus needs
>     regular re-validation. As work such as BygoneSSL shows, simply
>     relying on "domain registrations are a year" is not sufficient
>     justification, since domain control regularly changes (e.g.
>     migration of Cloud providers)
>
>     On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg
>     <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org>>
>     wrote:
>
>         I am still interested in passing a CABF SC ballot to resolve
>         this issue. I originally proposed an implementation date of
>         July 1, 2021, which does not seem realistic now. One CA has
>         indicated that they would endorse such a ballot if they had a
>         year to work it through with their customers.
>         Thoughts?
>         Thanks,
>         Ben
>
>         On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com
>         <mailto:bwilson at mozilla.com>> wrote:
>
>             I am loath to create this thread and to have two
>             simultaneous discussions on the same topic in two
>             different fora, but I want to see if the CA/Browser Forum
>             is willing to incorporate substantially the same 398-day
>             policy, as discussed below, in its Baseline Requirements
>             and EV Guidelines.
>
>             On the Mozilla Dev Security Policy (mdsp) list
>             (https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ
>             <https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ>)
>             and in the Mozilla policy issues list on GitHub
>             (https://github.com/mozilla/pkipolicy/issues/206
>             <https://github.com/mozilla/pkipolicy/issues/206>),
>             Mozilla is considering amending subsection 5 of section
>             2.1 of the Mozilla Root Store Policy
>             <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
>             to reduce the reuse of the validation of DNS Names and IP
>             addresses to 398 days.
>
>             Currently, Mozilla is looking at making this requirement
>             effective as of July 1, 2021, with some type of phase-in
>             period, to-be-determined.
>
>             I intend to draft a ballot that would accomplish that same
>             goal within BR section 4.2.1, and elsewhere as might be
>             necessary in the Baseline Requirements and EV Guidelines.
>
>             To prime the discussion here, one issue discussed on the
>             mdsp list is the phase-in, if any, of this 398-day
>             requirement. I have suggested that sunsetting 825-day
>             DNS/IP validations through 2023 is too long, given the
>             validation methods now available per BR 3.2.2.4 and
>             3.2.2.5.  Would it be simpler just to prohibit, as of
>             7/1/2021, any reuse of DNS/IP validations older than 398
>             days?
>
>
>
>
>         _______________________________________________
>         Servercert-wg mailing list
>         Servercert-wg at cabforum.org <mailto:Servercert-wg at cabforum.org>
>         https://lists.cabforum.org/mailman/listinfo/servercert-wg
>         <https://lists.cabforum.org/mailman/listinfo/servercert-wg>
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210208/ff3a909f/attachment-0001.html>

More information about the Servercert-wg mailing list