Hi Ben, For now I won’t comment on the 398 day limit or the date which you propose this to take effect (July 1, 2021), but on the ability of CAs to re-use domain validations completed prior to 1 July for their full 825 re-use period. I'm assuming that the 398 day limit is only for those domain validated on or after 1 July, 2021. Maybe that is your intent, but the wording is not clear (it's never been all that clear)
Could you consider changing it to read more like this (feel free to edit as needed): CAs may re-use domain validation for subjectAltName verifications of dNSNames and IPAddresses done prior to July 1, 2021 for up to 825 days <in accordance with domain validation re-use in the BRs, section 4.2.1>. CAs MUST limit domain re-use for subjectAltName verifications of dNSNames and IPAddresses to 398 days for domains validated on or after July 1, 2021. >From a CA perspective, I don't have any major concerns with shortening the >domain re-use periods, but customers do/will. Will there be a Mozilla blog >that outlines the security improvements with cutting the re-use period in half >and why July 2021 is the right time? Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Ben Wilson via dev-security-policy Sent: Monday, November 30, 2020 2:27 PM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days The purpose of this email is to begin public discussion on a modification to subsection 5 in section 2.1 of the Mozilla Root Store Policy. Issue #206 <https://github.com/mozilla/pkipolicy/issues/206> in GitHub discusses the need to bring the reuse period for domain validation in line with the certificate issuance validity cycle of 398 days (as set forth in section 6.3.2 of the Baseline Requirements). This proposal is not to say that Mozilla is not also contemplating a ballot in the CA/Browser Forum that would introduce similar language to the Baseline Requirements. Any potential CABF endorsers of such a ballot should reach out to me off-list. Currently, subsection 5 of section 2.1 of the Mozilla Root Store Policy (MRSP) states that a CA must “verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 825 days or less;” It is proposed that a subsection 5.1 be added to this subsection to require that, for subjectAltName verifications of dNSNames or IPAddresses performed on or after July 1, 2021, CAs verify the dNSName or IPAddress at intervals of 398 days or less. Proposed language may be found in the following commit: https://github.com/BenWilson-Mozilla/pkipolicy/commit/b7b53eea3a0af1503f3c99632ba22efc9e86bee2 Restated here, the proposed language for subsection 5.1 of section 2.1 is: "for subjectAltName verifications of dNSNames and IPAddresses performed on or after July 1, 2021, verify that each dNSName or IPAddress is current and correct at intervals of 398 days or less;" I look forward to your comments, suggestions and discussions. Thanks, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy