Kathleen, Changing the domain validation re-user period is a substantial change from the Apple proposed max validity period change and will place an additional burden on certificate Applicants to update their domain validation more than twice as frequently. This would be a sudden and large departure from the BRs. Certificate validity and domain validation re-use periods don’t necessarily need to be tied to the same value, so having certificate validity capped at 398 days and domain re-use set at 825 days isn’t contradictory.
Can you also provide, in a blog or a publicly posted article, the reasons for shortening the certificate validity? There are hundreds of comments and suggestions in multiple mail lists, but there is a lack of a documented formal security analysis of the recommended changes that we can point our customers to. Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, March 11, 2020 8:29 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: About upcoming limits on trusted certificates On 3/11/20 4:37 PM, Paul Walsh wrote: > >> On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy >> <dev-security-policy@lists.mozilla.org> wrote: >> >> On 3/11/20 3:51 PM, Paul Walsh wrote: >>> Can you provide some insight to why you think a shorter frequency in domain >>> validation would be beneficial? > [PW] If the owner’s identity has already been validated and that information > is still valid, why ask them to validate again? By "domain validation" I specifically mean verifying that the certificate requestor owns/controls the domain name(s) to be included in the TLS certificate. > [PW] I believe it’s a good idea to ensure they’re still in control of the > domain. So I guess we are in agreement on this. > My comment is in relation to the cost of validating their identity. My proposal has nothing to do with identity validation. > [PW] Thanks for this info. If this is already part of the CA/B Forum, is it > your intention to potentially do something different/specific for Firefox, > irrespective of what happens in that forum? > My proposal is that if we are going to update Mozilla's policy to require TLS certs to have validity period of 398 days or less, we should also update Mozilla's policy to say that re-use of domain validation is only valid up to 398 days. i.e. the ownership/control of the domain name should be re-validated before the renewal cert is issued. Currently Mozilla's policy and the BRs allow the CA to re-use domain validation results for up to 825 days. (which is inline with the 825 day certificate validity period currently allowed by the BRs) Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
