That works, too. Thoughts? On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie <doug.beat...@globalsign.com> wrote:
> Hi Ben, > > Regarding the redlined spec: > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6 > > Is this a meaningful statement given max validity is 398 days now? > 5. verify that all of the information that is included in server > certificates remains current and correct at intervals of 825 days or less; > I think we can remove that and them move 5.1 to item 5 > > I find the words for this requirement 5.1 unclear. > > " 5.1. for server certificates issued on or after October 1, 2021, > verify each dNSName or IPAddress in a SAN or commonName at an interval of > 398 days or less;" > > Can we say: > "5.1. for server certificates issued on or after October 1, 2021, each > dNSName or IPAddress in a SAN or commonName MUST have been validated <in > accordance with the CABF Baseline Requirements?> within the prior 398 days. > > > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ben Wilson via dev-security-policy > Sent: Monday, March 8, 2021 6:38 PM > To: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name > verification to 398 days > > All, > > Here is the currently proposed wording for subsection 5.1 of MRSP section > 2.1: > > " 5.1. for server certificates issued on or after October 1, 2021, verify > each dNSName or IPAddress in a SAN or commonName at an interval of 398 days > or less;" > > Ben > > On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi <r...@sleevi.com> wrote: > > > > > > > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> I think it makes sense to separate out the date for domain validation > >> expiration from the issuance of server certificates with previously > >> validated domain names, but agree with Ben that the timeline doesn’t > >> seem to need to be prolonged. What about something like this: > >> > >> 1. Domain name or IP address verifications performed on or after July > >> 1, > >> 2021 may be reused for a maximum of 398 days. > >> 2. Server certificates issued on or after September 1, 2021 must have > >> completed domain name or IP address verification within the preceding > >> 398 days. > >> > >> This effectively stretches the “cliff” out across ~6 months (now > >> through the end of August), which seems reasonable. > >> > > > > Yeah, that does sound reasonable. > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy