[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Ben Wilson bwilson at mozilla.com
Mon Feb 8 18:09:26 UTC 2021


Thanks.  I'll work on a draft ballot and circulate it.

On Mon, Feb 8, 2021 at 11:07 AM Dimitris Zacharopoulos (HARICA) <
dzacharo at harica.gr> wrote:

>
> Ben,
>
> HARICA will endorse shortening the re-use period for Domain Name and IP
> Address Validation to 398 days.
>
> Dimitris.
>
> On 8/2/2021 7:54 μ.μ., Ben Wilson via Servercert-wg wrote:
>
> It's doable - but I'd like to see if anyone wants to endorse a ballot here
> to make the necessary modifications to section 4.2.1, or whether I assume
> not and just focus on the Mozilla Root Store Policy Issue # 206.
>
> On Sat, Feb 6, 2021 at 9:59 AM Ryan Sleevi <sleevi at google.com> wrote:
>
>> I'm curious if you could explain why it doesn't seem realistic. Given the
>> data provided, it seems eminently and readily achievable.
>>
>> Since this only applies to reuse of domain/IP address validation, it
>> seems like we can look at a shorter period, since as noted in the past,
>> this data is subject to regular change, and thus needs regular
>> re-validation. As work such as BygoneSSL shows, simply relying on "domain
>> registrations are a year" is not sufficient justification, since domain
>> control regularly changes (e.g. migration of Cloud providers)
>>
>> On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> I am still interested in passing a CABF SC ballot to resolve this issue.
>>> I originally proposed an implementation date of July 1, 2021, which does
>>> not seem realistic now. One CA has indicated that they would endorse such a
>>> ballot if they had a year to work it through with their customers.
>>> Thoughts?
>>> Thanks,
>>> Ben
>>>
>>> On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>>
>>>> I am loath to create this thread and to have two simultaneous
>>>> discussions on the same topic in two different fora, but I want to see if
>>>> the CA/Browser Forum is willing to incorporate substantially the same
>>>> 398-day policy, as discussed below, in its Baseline Requirements and EV
>>>> Guidelines.
>>>>
>>>> On the Mozilla Dev Security Policy (mdsp) list (
>>>> https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
>>>> and in the Mozilla policy issues list on GitHub (
>>>> https://github.com/mozilla/pkipolicy/issues/206), Mozilla is
>>>> considering amending subsection 5 of section 2.1 of the Mozilla Root
>>>> Store Policy
>>>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
>>>> to reduce the reuse of the validation of DNS Names and IP addresses to 398
>>>> days.
>>>>
>>>> Currently, Mozilla is looking at making this requirement effective as
>>>> of July 1, 2021, with some type of phase-in period, to-be-determined.
>>>>
>>>> I intend to draft a ballot that would accomplish that same goal within
>>>> BR section 4.2.1, and elsewhere as might be necessary in the Baseline
>>>> Requirements and EV Guidelines.
>>>>
>>>> To prime the discussion here, one issue discussed on the mdsp list is
>>>> the phase-in, if any, of this 398-day requirement. I have suggested that
>>>> sunsetting 825-day DNS/IP validations through 2023 is too long, given the
>>>> validation methods now available per BR 3.2.2.4 and 3.2.2.5.  Would it be
>>>> simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
>>>> older than 398 days?
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>
>>
> _______________________________________________
> Servercert-wg mailing listServercert-wg at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210208/8ed54394/attachment.html>


More information about the Servercert-wg mailing list