[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days
Ben Wilson
bwilson at mozilla.com
Mon Feb 15 18:49:59 UTC 2021
See
https://github.com/BenWilson-Mozilla/servercert/commit/26bd5a9f9f8bd2a251153a4cceb6226b859a3464
On Mon, Feb 15, 2021 at 11:44 AM Ben Wilson <bwilson at mozilla.com> wrote:
> I have created a GitHub branch to make changes in for this ballot.
>
> https://github.com/BenWilson-Mozilla/servercert/tree/398-day-FQDN-validation/docs
> I intend to replace "thirteen months" in section 11.14.3 of the EV
> Guidelines with "398 days".
>
> On Tue, Feb 9, 2021 at 5:03 PM Ben Wilson via Servercert-wg <
> servercert-wg at cabforum.org> wrote:
>
>> All,
>>
>>
>>>
>>>> Amend BR section 3.2.2.5.1 and possibly make the Random Value valid for
>>>> only 30 days or 60 days because what is meant by "if the Applicant
>>>> submitted the certificate request"? Otherwise, just editing out some of
>>>> the existing language it would read something like, "If a Random Value
>>>> is used, the CA SHALL provide a Random Value unique to the certificate
>>>> request and SHALL not use the Random Value after the longer of (i) 30 days
>>>> or (ii) if the Applicant submitted the certificate request, 398 days," but
>>>> someone should explain how that makes any sense.
>>>>
>>>
>>> I seem to recall that harmonizing the Random Value (which, I agree, is
>>> also a good change) touches a few other sections. In particular, we
>>> identified previously that the (ii) is an anti-pattern; that is, that the
>>> Random Value should be valid 30 days or less, and it's the cached
>>> validation that is reused after that, rather than the Random Value itself.
>>> We updated several of the places, but not all. That is, 3.2.2.4.7 also
>>> needs to be cleaned up
>>>
>>>
>> Can someone propose alternative language that says what was intended
>> (i.e. "cached validation" as indicated by Ryan)? Otherwise, in BR section
>> 3.2.2.4.7 (DNS Change) and BR section 3.2.2.5.1 (Agreed Upon Change to
>> Website), as part of this proposed ballot, I intend to limit use of the
>> Random Value to 30 days and delete the phrase "ii. if the Applicant
>> submitted the Certificate request, the timeframe permitted for reuse of
>> validated information relevant to the Certificate (such as in Section 4.2.1
>> of these Guidelines or Section 11.14.3 of the EV Guidelines)" because it
>> makes no sense as currently worded. In any event, even the structure is bad
>> because it combines two unrelated conditions into one concept. In other
>> words, it wouldn't make sense to say the longer of (i) 30 days or (ii) 398
>> days for cached validations. As proposed by the ballot, the 398-day limit
>> will apply to all methods of validation.
>>
>> I am still a little unclear on the intent of the language in (ii). Would
>> the intent have been better served if that second part had been placed in a
>> separate sentence? E.g., "The same Random Value may also be used for
>> submitting subsequent certificate requests for the same domain for the
>> timeframe permitted for reuse ...."
>>
>> Thanks,
>>
>> Ben
>> _______________________________________________
>> Servercert-wg mailing list
>> Servercert-wg at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210215/4ee15382/attachment.html>
More information about the Servercert-wg
mailing list