Thanks for the clarification, Kathleen. I tried my best not to make assumptions.
- Paul > On Mar 11, 2020, at 5:28 PM, Kathleen Wilson via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On 3/11/20 4:37 PM, Paul Walsh wrote: >>>> On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy >>>> <dev-security-policy@lists.mozilla.org> wrote: >>> >>> On 3/11/20 3:51 PM, Paul Walsh wrote: >>>> Can you provide some insight to why you think a shorter frequency in >>>> domain validation would be beneficial? >> [PW] If the owner’s identity has already been validated and that information >> is still valid, why ask them to validate again? > > > By "domain validation" I specifically mean verifying that the certificate > requestor owns/controls the domain name(s) to be included in the TLS > certificate. > > >> [PW] I believe it’s a good idea to ensure they’re still in control of the >> domain. > > > So I guess we are in agreement on this. > > >> My comment is in relation to the cost of validating their identity. > > > My proposal has nothing to do with identity validation. > > > >> [PW] Thanks for this info. If this is already part of the CA/B Forum, is it >> your intention to potentially do something different/specific for Firefox, >> irrespective of what happens in that forum? > > > My proposal is that if we are going to update Mozilla's policy to require TLS > certs to have validity period of 398 days or less, we should also update > Mozilla's policy to say that re-use of domain validation is only valid up to > 398 days. i.e. the ownership/control of the domain name should be > re-validated before the renewal cert is issued. > > Currently Mozilla's policy and the BRs allow the CA to re-use domain > validation results for up to 825 days. (which is inline with the 825 day > certificate validity period currently allowed by the BRs) > > Kathleen > > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
