[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Ben Wilson bwilson at mozilla.com
Wed Feb 10 00:03:34 UTC 2021


All,


>
>> Amend BR section 3.2.2.5.1 and possibly make the Random Value valid for
>> only 30 days or 60 days because what is meant by "if the Applicant
>> submitted the certificate request"?  Otherwise, just editing out some of
>> the existing language it would read something like, "If a Random Value
>> is used, the CA SHALL provide a Random Value unique to the certificate
>> request and SHALL not use the Random Value after the longer of (i) 30 days
>> or (ii) if the Applicant submitted the certificate request, 398 days," but
>> someone should explain how that makes any sense.
>>
>
> I seem to recall that harmonizing the Random Value (which, I agree, is
> also a good change) touches a few other sections. In particular, we
> identified previously that the (ii) is an anti-pattern; that is, that the
> Random Value should be valid 30 days or less, and it's the cached
> validation that is reused after that, rather than the Random Value itself.
> We updated several of the places, but not all. That is, 3.2.2.4.7 also
> needs to be cleaned up
>
>
Can someone propose alternative language that says what was intended (i.e.
"cached validation" as indicated by Ryan)?  Otherwise, in BR section
3.2.2.4.7 (DNS Change) and BR section 3.2.2.5.1 (Agreed Upon Change to
Website), as part of this proposed ballot, I intend to limit use of the
Random Value to 30 days and delete the phrase "ii. if the Applicant
submitted the Certificate request, the timeframe permitted for reuse of
validated information relevant to the Certificate (such as in Section 4.2.1
of these Guidelines or Section 11.14.3 of the EV Guidelines)"  because it
makes no sense as currently worded. In any event, even the structure is bad
because it combines two unrelated conditions into one concept. In other
words, it wouldn't make sense to say the longer of (i) 30 days or (ii) 398
days for cached validations.  As proposed by the ballot, the 398-day limit
will apply to all methods of validation.

I am still a little unclear on the intent of the language in (ii).  Would
the intent have been better served if that second part had been placed in a
separate sentence? E.g., "The same Random Value may also be used for
submitting subsequent certificate requests for the same domain for the
timeframe permitted for reuse ...."

Thanks,

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210209/758c6736/attachment.html>


More information about the Servercert-wg mailing list