[Servercert-wg] Reducing Domain/IP Address Validation Reuse to 398 Days

Ben Wilson bwilson at mozilla.com
Fri Feb 19 19:13:51 UTC 2021


Here is a preliminary, rough draft of Ballot SC42 for discussion and
comment.  Please let me know if you spot any deficiencies in required
content or procedure.
In other words, this email is not intended to and does not begin the
discussion period on this ballot.  A separate, official email will be sent
out next week for that purpose.

Name of Ballot:  398-Day Reuse

Purpose of Ballot:

This ballot changes validation reuse periods for FQDN and IP Address
validation in the Baseline Requirements and for all purposes in the EV
Guidelines. The ballot does not change the 825-day reuse period in section
4.2.1. of the Baseline Requirements for Organizational Validation (OV)
information.

Specifically:

* It inserts in BR section 3.2.2.4 “For Certificates issued on or after
July 1, 2021, the CA SHALL verify that each FQDN is confirmed as permitted
by this section at intervals of 398 days or less.” It also requires that
the validation be completed within the 398 days preceding certificate
issuance and removes cross-references to BR section 4.2.1.

* It modifies BR sections 3.2.2.4.3 and 3.2.2.4.6 to eliminate reuse of
FQDN validation performed under those sunsetted provisions.

* It modifies BR section 3.2.2.4.7 to replace subsections i. and ii. with a
30-day limit on reuse of the Random Value.

* It inserts in BR section 3.2.2.5 “For Certificates issued on or after
July 1, 2021, the CA SHALL validate each IP address as permitted by this
section at intervals of 398 days or less.” It also requires that the
validation be completed within the 398 days preceding certificate issuance
and removes cross-references to BR section 4.2.1.

* It clarifies BR section 4.2.1 by stating, “This 825-day period does not
apply to the validation of domain authorization or control performed under
[Section 3.2.2.4](#3224-validation-of-domain-authorization-or-control) or
the authentication of an IP address performed under [Section
3.2.2.5](#3225-authentication-for-an-ip-address), which have a 398-day
reuse period.”

* It replaces eight instances of “thirteen months/thirteen-month” in EVG
11.14.3 with 398 days.

The following motion has been proposed by Ben Wilson of Mozilla and
endorsed by Dimitris Zacharopoulos of HARICA and Chema Lopez of
Firmaprofesional.

– MOTION BEGINS –

This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly-Trusted Certificates” (“Baseline Requirements”),
based on Version 1.7.3:

MODIFY the Baseline Requirements as defined in the following redline:
https://github.com/sleevi/cabforum-docs/compare/2020-11-30_Pandocification...BenWilson-Mozilla:398-day-FQDN-validation
(GITHUB URL TO BE UPDATED)

This ballot modifies the “Guidelines for the Issuance and Management of
Extended Validation Certificates” (“EV Guidelines”) as follows, based on
Version 1.7.4:

MODIFY the EV Guidelines as defined in the following redline:
https://github.com/sleevi/cabforum-docs/compare/2020-11-30_Pandocification...BenWilson-Mozilla:398-day-FQDN-validation
(GITHUB URL TO BE UPDATED)

– MOTION ENDS –

This ballot proposes two Final Maintenance Guidelines.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: TBD

End Time: TBD

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

On Mon, Feb 15, 2021 at 11:50 AM Ben Wilson via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> See
> https://github.com/BenWilson-Mozilla/servercert/commit/26bd5a9f9f8bd2a251153a4cceb6226b859a3464
>
> On Mon, Feb 15, 2021 at 11:44 AM Ben Wilson <bwilson at mozilla.com> wrote:
>
>> I have created a GitHub branch to make changes in for this ballot.
>>
>> https://github.com/BenWilson-Mozilla/servercert/tree/398-day-FQDN-validation/docs
>> I intend to replace "thirteen months" in section 11.14.3 of the EV
>> Guidelines with "398 days".
>>
>> On Tue, Feb 9, 2021 at 5:03 PM Ben Wilson via Servercert-wg <
>> servercert-wg at cabforum.org> wrote:
>>
>>> All,
>>>
>>>
>>>>
>>>>> Amend BR section 3.2.2.5.1 and possibly make the Random Value valid
>>>>> for only 30 days or 60 days because what is meant by "if the Applicant
>>>>> submitted the certificate request"?  Otherwise, just editing out some of
>>>>> the existing language it would read something like, "If a Random
>>>>> Value is used, the CA SHALL provide a Random Value unique to the
>>>>> certificate request and SHALL not use the Random Value after the longer of
>>>>> (i) 30 days or (ii) if the Applicant submitted the certificate request, 398
>>>>> days," but someone should explain how that makes any sense.
>>>>>
>>>>
>>>> I seem to recall that harmonizing the Random Value (which, I agree, is
>>>> also a good change) touches a few other sections. In particular, we
>>>> identified previously that the (ii) is an anti-pattern; that is, that the
>>>> Random Value should be valid 30 days or less, and it's the cached
>>>> validation that is reused after that, rather than the Random Value itself.
>>>> We updated several of the places, but not all. That is, 3.2.2.4.7 also
>>>> needs to be cleaned up
>>>>
>>>>
>>> Can someone propose alternative language that says what was intended
>>> (i.e. "cached validation" as indicated by Ryan)?  Otherwise, in BR section
>>> 3.2.2.4.7 (DNS Change) and BR section 3.2.2.5.1 (Agreed Upon Change to
>>> Website), as part of this proposed ballot, I intend to limit use of the
>>> Random Value to 30 days and delete the phrase "ii. if the Applicant
>>> submitted the Certificate request, the timeframe permitted for reuse of
>>> validated information relevant to the Certificate (such as in Section 4.2.1
>>> of these Guidelines or Section 11.14.3 of the EV Guidelines)"  because it
>>> makes no sense as currently worded. In any event, even the structure is bad
>>> because it combines two unrelated conditions into one concept. In other
>>> words, it wouldn't make sense to say the longer of (i) 30 days or (ii) 398
>>> days for cached validations.  As proposed by the ballot, the 398-day limit
>>> will apply to all methods of validation.
>>>
>>> I am still a little unclear on the intent of the language in (ii).
>>> Would the intent have been better served if that second part had been
>>> placed in a separate sentence? E.g., "The same Random Value may also be
>>> used for submitting subsequent certificate requests for the same domain for
>>> the timeframe permitted for reuse ...."
>>>
>>> Thanks,
>>>
>>> Ben
>>> _______________________________________________
>>> Servercert-wg mailing list
>>> Servercert-wg at cabforum.org
>>> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>>>
>> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210219/d1c90cf0/attachment-0001.html>


More information about the Servercert-wg mailing list