[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Mon Feb 8 20:03:39 UTC 2021

Here are my initial thoughts:

In BR Section 4.2.1, add a sentence -  *This does not apply to the
validation of domain authorization or control performed under Section
3.2.2.4 or the authentication of an IP address performed under Section
3.2.2.5.*

In BR Section 3.2.2.4 add, "*For Certificates issued on or after July 1,
2021, the CA SHALL verify that each FQDN is current and correct at
intervals of 398 days or less*."

In BR Section 3.2.2.5 add, "*For Certificates issued on or after July 1,
2021, the CA SHALL verify that each IP address is current and correct at
intervals of 398 days or less.*

Replace in both sections, "In all cases, the validation must have been
initiated within the time period specified in the relevant requirement
(such as Section 4.2.1 of this document) prior to Certificate issuance."
with "*In all cases, the validation must have been completed within the 398
days preceding certificate issuance.*"

Amend BR section 3.2.2.4.6 to remove any exception that would still allow
CA to "continue to re-use information and validations for domains validated
under this method per the applicable certificate data reuse periods."  (The
Method 6 was deprecated June 3, 2020.)

Amend BR section 3.2.2.5.1 and possibly make the Random Value valid for
only 30 days or 60 days because what is meant by "if the Applicant
submitted the certificate request"?  Otherwise, just editing out some of
the existing language it would read something like, "If a Random Value is
used, the CA SHALL provide a Random Value unique to the certificate request
and SHALL not use the Random Value after the longer of (i) 30 days or (ii)
if the Applicant submitted the certificate request, 398 days," but someone
should explain how that makes any sense.

Tie up any other loose ends.  For instance, do we leave the EV guidelines
alone at thirteen months for Domain Names? See EVG section 11.14.3(1)(F).

On Mon, Feb 8, 2021 at 11:29 AM Chema Lopez <clopez at firmaprofesional.com>
wrote:

> Ben, Firmaprofesional will also endorse shortening the re-use period for
> Domain Name and IP Address Validation to 398 days, if needed.
>
>
>
> *Chema López*
>
> Director Área Innovación, Cumplimiento y Tecnología
>
> +34 666 429 224
>
>
>
>
>
>
> *Barcelona  *Av. Torre Blanca 57, Edif. Esadecreapolis, Local 3B6 - 08173
> Sant Cugat del Vallès | +34 934 774 245
>
> *Madrid  *C/ Velázquez 59, 1º Ctro-Izda. - 28001 Madrid | +34 915 762 181
>
>
> www.firmaprofesional.com
>
>
>
> *El contenido de este correo electrónico y de sus anexos es confidencial.
> Si usted recibe este mensaje por error, debe saber que está prohibido hacer
> uso, divulgación y/o copia del mismo. En tal caso le agradeceríamos que
> advierta de inmediato a su remitente y que proceda a destruir el mensaje.*
>
>
>
> *Le informamos que, cumpliendo la normativa en materia de protección de
> datos, FIRMAPROFESIONAL tratará sus datos con la finalidad de garantizar
> las relaciones con la empresa, entidad u organización a la que usted
> representa o en la que trabaja y por el período que dure dicha
> relación. Podrá ejercer sus derechos de acceso, rectificación, supresión,
> limitación, portabilidad y oposición al tratamiento ante el Responsable:
> FIRMAPROFESIONAL, S.A., Av. Torre Blanca, 57, local 3B6 (Edificio
> Esadecreapolis), 08173 Sant Cugat del Vallès (Barcelona), o bien mediante
> correo electrónico a: rgpd at firmaprofesional.com
> <rgpd at firmaprofesional.com>, en cualquier caso adjuntando una copia de su
> D.N.I. o documento equivalente. Asimismo, podrá formular reclamaciones ante
> la Agencia Española de Protección de Datos. Para más información puede
> consultar nuestra política de privacidad
> <https://www.firmaprofesional.com/esp/aviso-legal>.*
>
>
> On Mon, 8 Feb 2021 at 19:07, Dimitris Zacharopoulos (HARICA) via
> Servercert-wg <servercert-wg at cabforum.org> wrote:
>
>>
>> Ben,
>>
>> HARICA will endorse shortening the re-use period for Domain Name and IP
>> Address Validation to 398 days.
>>
>> Dimitris.
>>
>> On 8/2/2021 7:54 μ.μ., Ben Wilson via Servercert-wg wrote:
>>
>> It's doable - but I'd like to see if anyone wants to endorse a ballot
>> here to make the necessary modifications to section 4.2.1, or whether I
>> assume not and just focus on the Mozilla Root Store Policy Issue # 206.
>>
>> On Sat, Feb 6, 2021 at 9:59 AM Ryan Sleevi <sleevi at google.com> wrote:
>>
>>> I'm curious if you could explain why it doesn't seem realistic. Given
>>> the data provided, it seems eminently and readily achievable.
>>>
>>> Since this only applies to reuse of domain/IP address validation, it
>>> seems like we can look at a shorter period, since as noted in the past,
>>> this data is subject to regular change, and thus needs regular
>>> re-validation. As work such as BygoneSSL shows, simply relying on "domain
>>> registrations are a year" is not sufficient justification, since domain
>>> control regularly changes (e.g. migration of Cloud providers)
>>>
>>> On Fri, Feb 5, 2021 at 7:07 PM Ben Wilson via Servercert-wg <
>>> servercert-wg at cabforum.org> wrote:
>>>
>>>> I am still interested in passing a CABF SC ballot to resolve this
>>>> issue. I originally proposed an implementation date of July 1, 2021, which
>>>> does not seem realistic now. One CA has indicated that they would endorse
>>>> such a ballot if they had a year to work it through with their customers.
>>>> Thoughts?
>>>> Thanks,
>>>> Ben
>>>>
>>>> On Wed, Dec 2, 2020 at 2:55 PM Ben Wilson <bwilson at mozilla.com> wrote:
>>>>
>>>>> I am loath to create this thread and to have two simultaneous
>>>>> discussions on the same topic in two different fora, but I want to see if
>>>>> the CA/Browser Forum is willing to incorporate substantially the same
>>>>> 398-day policy, as discussed below, in its Baseline Requirements and EV
>>>>> Guidelines.
>>>>>
>>>>> On the Mozilla Dev Security Policy (mdsp) list (
>>>>> https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/2ojwLrslBQAJ)
>>>>> and in the Mozilla policy issues list on GitHub (
>>>>> https://github.com/mozilla/pkipolicy/issues/206), Mozilla is
>>>>> considering amending subsection 5 of section 2.1 of the Mozilla Root
>>>>> Store Policy
>>>>> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations>
>>>>> to reduce the reuse of the validation of DNS Names and IP addresses to 398
>>>>> days.
>>>>>
>>>>> Currently, Mozilla is looking at making this requirement effective as
>>>>> of July 1, 2021, with some type of phase-in period, to-be-determined.
>>>>>
>>>>> I intend to draft a ballot that would accomplish that same goal within
>>>>> BR section 4.2.1, and elsewhere as might be necessary in the Baseline
>>>>> Requirements and EV Guidelines.
>>>>>
>>>>> To prime the discussion here, one issue discussed on the mdsp list is
>>>>> the phase-in, if any, of this 398-day requirement. I have suggested that
>>>>> sunsetting 825-day DNS/IP validations through 2023 is too long, given the
>>>>> validation methods now available per BR 3.2.2.4 and 3.2.2.5.  Would it be
>>>>> simpler just to prohibit, as of 7/1/2021, any reuse of DNS/IP validations
>>>>> older than 398 days?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>> Servercert-wg mailing list
>>>> Servercert-wg at cabforum.org
>>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>>
>>>
>> _______________________________________________
>> Servercert-wg mailing listServercert-wg at cabforum.orghttps://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>>
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210208/437a9f20/attachment-0001.html>