On 3/11/20 3:51 PM, Paul Walsh wrote:
Can you provide some insight to why you think a shorter frequency in domain validation would be beneficial?
To start with, it is common for a domain name to be purchased for one year. A certificate owner that was able to prove ownership/control of the domain name last year might not have renewed the domain name. So why should they be able to get a renewal cert without having that re-checked?
At the very least it deserves a new thread as the potential impact could be significant.
What exactly do you think is the significant impact in regards to re-verifying that the certificate requestor still has control of the domain name to be included in the new certificate?
And out of curiosity, why not raise your question inside the CA/Browser forum if you believe the original change being discussed should have been brought up there? I believe the potential outcome would have a separate impact on CAs and website owners. In particular, it would cost website owners in more time, resource and money. For this reason, I’m assuming you’re not asking the question to simply line up with another change.
It was part of the CAB Forum Ballot SC22 that was proposed last year by Google. That ballot was to change both the cert validity period and the validation information to 398 days. "| 2020-03-01 | 4.2.1 and 6.3.2 | Certificates issued SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Re-use of validation information limited to 398 days. |"
Reference: https://cabforum.org/pipermail/servercert-wg/2019-August/000894.html https://github.com/cabforum/documents/compare/master...sleevi:0a72b35f7c877e6aa1e7559f712ad9eb84b2da12?diff=split#diff-7f6d14a20e7f3beb696b45e1bf8196f2 Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
