On 3/11/20 4:37 PM, Paul Walsh wrote:
On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
On 3/11/20 3:51 PM, Paul Walsh wrote:
Can you provide some insight to why you think a shorter frequency in domain
validation would be beneficial?
[PW] If the owner’s identity has already been validated and that information is still valid, why ask them to validate again?
By "domain validation" I specifically mean verifying that the
certificate requestor owns/controls the domain name(s) to be included in
the TLS certificate.
[PW] I believe it’s a good idea to ensure they’re still in control of the domain.
So I guess we are in agreement on this.
My comment is in relation to the cost of validating their identity.
My proposal has nothing to do with identity validation.
[PW] Thanks for this info. If this is already part of the CA/B Forum, is it
your intention to potentially do something different/specific for Firefox,
irrespective of what happens in that forum?
My proposal is that if we are going to update Mozilla's policy to
require TLS certs to have validity period of 398 days or less, we should
also update Mozilla's policy to say that re-use of domain validation is
only valid up to 398 days. i.e. the ownership/control of the domain name
should be re-validated before the renewal cert is issued.
Currently Mozilla's policy and the BRs allow the CA to re-use domain
validation results for up to 825 days. (which is inline with the 825 day
certificate validity period currently allowed by the BRs)
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
