[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Mon Feb 8 18:29:06 UTC 2021

Ben, Firmaprofesional will also endorse shortening the re-use period for
Domain Name and IP Address Validation to 398 days, if needed.

*Chema López*

Director Área Innovación, Cumplimiento y Tecnología

+34 666 429 224

*Barcelona  *Av. Torre Blanca 57, Edif. Esadecreapolis, Local 3B6 - 08173
Sant Cugat del Vallès | +34 934 774 245

*Madrid  *C/ Velázquez 59, 1º Ctro-Izda. - 28001 Madrid | +34 915 762 181

www.firmaprofesional.com

*El contenido de este correo electrónico y de sus anexos es confidencial.
Si usted recibe este mensaje por error, debe saber que está prohibido hacer
uso, divulgación y/o copia del mismo. En tal caso le agradeceríamos que
advierta de inmediato a su remitente y que proceda a destruir el mensaje.*

*Le informamos que, cumpliendo la normativa en materia de protección de
datos, FIRMAPROFESIONAL tratará sus datos con la finalidad de garantizar
las relaciones con la empresa, entidad u organización a la que usted
representa o en la que trabaja y por el período que dure dicha
relación. Podrá ejercer sus derechos de acceso, rectificación, supresión,
limitación, portabilidad y oposición al tratamiento ante el Responsable:
FIRMAPROFESIONAL, S.A., Av. Torre Blanca, 57, local 3B6 (Edificio
Esadecreapolis), 08173 Sant Cugat del Vallès (Barcelona), o bien mediante
correo electrónico a: rgpd at firmaprofesional.com
<rgpd at firmaprofesional.com>, en cualquier caso adjuntando una copia de su
D.N.I. o documento equivalente. Asimismo, podrá formular reclamaciones ante
la Agencia Española de Protección de Datos. Para más información puede
consultar nuestra política de privacidad
<https://www.firmaprofesional.com/esp/aviso-legal>.*

On Mon, 8 Feb 2021 at 19:07, Dimitris Zacharopoulos (HARICA) via
Servercert-wg <servercert-wg at cabforum.org> wrote:

>
> Ben,
>
> HARICA will endorse shortening the re-use period for Domain Name and IP
> Address Validation to 398 days.
>
> Dimitris.
>
> On 8/2/2021 7:54 μ.μ., Ben Wilson via Servercert-wg wrote:
>
> It's doable - but I'd like to see if anyone wants to endorse a ballot here
> to make the necessary modifications to section 4.2.1, or whether I assume
> not and just focus on the Mozilla Root Store Policy Issue # 206.
>
> On Sat, Feb 6, 2021 at 9:59 AM Ryan Sleevi <sleevi at google.com> wrote:
>
>> I'm curious if you could explain why it doesn't seem realistic. Given the
>> data provided, it seems eminently and readily achievable.
>>
>> Since this only applies to reuse of domain/IP address validation, it
>> seems like we can look at a shorter period, since as noted in the past,
>> this data is subject to regular change, and thus needs regular
>> re-validation. As work such as BygoneSSL shows, simply relying on "domain
>> registrations are a year" is not sufficient justification, since domain
>> control regularly changes (e.g. migration of Cloud providers)
>>
>> On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> I am still interested in passing a CABF SC ballot to resolve this issue.
>>> I originally proposed an implementation date of July 1, 2021, which does
>>> not seem realistic now. One CA has indicated that they would endorse such a
>>> ballot if they had a year to work it through with their customers.
>>> Thoughts?
>>> Thanks,
>>> Ben
>>>
>>> On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>>
>>>> I am loath to create this thread and to have two simultaneous
>>>> discussions on the same topic in two different fora, but I want to see if
>>>> the CA/Browser Forum is willing to incorporate substantially the same
>>>> 398-day policy, as discussed below, in its Baseline Requirements and EV
>>>> Guidelines.
>>>>
>>>> On the Mozilla Dev Security Policy (mdsp) list (
>>>> https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
>>>> and in the Mozilla policy issues list on GitHub (
>>>> https://github.com/mozilla/pkipolicy/issues/206), Mozilla is
>>>> considering amending subsection 5 of section 2.1 of the Mozilla Root
>>>> Store Policy
>>>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
>>>> to reduce the reuse of the validation of DNS Names and IP addresses to 398
>>>> days.
>>>>
>>>> Currently, Mozilla is looking at making this requirement effective as
>>>> of July 1, 2021, with some type of phase-in period, to-be-determined.
>>>>
>>>> I intend to draft a ballot that would accomplish that same goal within
>>>> BR section 4.2.1, and elsewhere as might be necessary in the Baseline
>>>> Requirements and EV Guidelines.
>>>>
>>>> To prime the discussion here, one issue discussed on the mdsp list is
>>>> the phase-in, if any, of this 398-day requirement. I have suggested that
>>>> sunsetting 825-day DNS/IP validations through 2023 is too long, given the
>>>> validation methods now available per BR 3.2.2.4 and 3.2.2.5.  Would it be
>>>> simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
>>>> older than 398 days?
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>
>>
> _______________________________________________
> Servercert-wg mailing listServercert-wg at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/servercert-wg
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210208/2f975e48/attachment-0001.html>