[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days
Ben Wilson
bwilson at mozilla.com
Mon Feb 15 18:44:17 UTC 2021
I have created a GitHub branch to make changes in for this ballot.
https://github.com/BenWilson-Mozilla/servercert/tree/398-day-FQDN-validation/docs
I intend to replace "thirteen months" in section 11.14.3 of the EV
Guidelines with "398 days".
On Tue, Feb 9, 2021 at 5:03 PM Ben Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> All,
>
>
>>
>>> Amend BR section 3.2.2.5.1 and possibly make the Random Value valid for
>>> only 30 days or 60 days because what is meant by "if the Applicant
>>> submitted the certificate request"? Otherwise, just editing out some of
>>> the existing language it would read something like, "If a Random Value
>>> is used, the CA SHALL provide a Random Value unique to the certificate
>>> request and SHALL not use the Random Value after the longer of (i) 30 days
>>> or (ii) if the Applicant submitted the certificate request, 398 days," but
>>> someone should explain how that makes any sense.
>>>
>>
>> I seem to recall that harmonizing the Random Value (which, I agree, is
>> also a good change) touches a few other sections. In particular, we
>> identified previously that the (ii) is an anti-pattern; that is, that the
>> Random Value should be valid 30 days or less, and it's the cached
>> validation that is reused after that, rather than the Random Value itself.
>> We updated several of the places, but not all. That is, 3.2.2.4.7 also
>> needs to be cleaned up
>>
>>
> Can someone propose alternative language that says what was intended (i.e.
> "cached validation" as indicated by Ryan)? Otherwise, in BR section
> 3.2.2.4.7 (DNS Change) and BR section 3.2.2.5.1 (Agreed Upon Change to
> Website), as part of this proposed ballot, I intend to limit use of the
> Random Value to 30 days and delete the phrase "ii. if the Applicant
> submitted the Certificate request, the timeframe permitted for reuse of
> validated information relevant to the Certificate (such as in Section 4.2.1
> of these Guidelines or Section 11.14.3 of the EV Guidelines)" because it
> makes no sense as currently worded. In any event, even the structure is bad
> because it combines two unrelated conditions into one concept. In other
> words, it wouldn't make sense to say the longer of (i) 30 days or (ii) 398
> days for cached validations. As proposed by the ballot, the 398-day limit
> will apply to all methods of validation.
>
> I am still a little unclear on the intent of the language in (ii). Would
> the intent have been better served if that second part had been placed in a
> separate sentence? E.g., "The same Random Value may also be used for
> submitting subsequent certificate requests for the same domain for the
> timeframe permitted for reuse ...."
>
> Thanks,
>
> Ben
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210215/2cb4a223/attachment.html>
More information about the Servercert-wg
mailing list