The Baseline Requirements allow a number of methods that aren’t easily automated, such as validation via email. As a result, CAs don’t pursue automation, or when they support it, neither promote nor require it. This leads CAs to be opposed to efforts to shorten the reuse time, as they have historically treated it as the same complexity as identity validation, even when it doesn’t need to be.
There’s nothing intrinsically preventing it, although the practical effect is it would encourage technically automatable methods, as opposed to manual methods. On Thu, Mar 12, 2020 at 4:45 AM Julien Cristau via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Kathleen, all, > > Is there a reason domain validation information needs to be reused for more > than, say, 30 days? For the manual parts of identity validation I > understand you don't want to repeat the process too often, but domain > validation can be entirely automated so it doesn't seem like long reuse > periods are warranted. (It's entirely possible I'm missing something and > there are significant hurdles to overcome for CAs and/or applicants in > confirming domain ownership more than once a year.) > > Thanks, > Julien > > On Wed, Mar 11, 2020 at 11:39 PM Kathleen Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > All, > > > > First, I would like to say that my preference would have been for this > > type of change (limit SSL cert validity period to 398 days) to be agreed > > to in the CA/Browser Forum and added to the BRs. However, the ball is > > already rolling, and discussion here in m.d.s.p is supportive of > > updating Mozilla's Root Store Policy to incorporate the shorter validity > > period. So... > > > > What do you all think about also limiting the re-use of domain > validation? > > > > BR section 3.2.2.4 currently says: "Completed validations of Applicant > > authority may be valid for the issuance of multiple Certificates over > > time." > > And BR section 4.2.1 currently says: "The CA MAY use the documents and > > data provided in Section 3.2 to verify certificate information, or may > > reuse previous validations themselves, provided that the CA obtained the > > data or document from a source specified under Section 3.2 or completed > > the validation itself no more than 825 days prior to issuing the > > Certificate." > > > > In line with that, section 2.1 of Mozilla's Root Store Policy currently > > says: > > "CAs whose certificates are included in Mozilla's root program MUST: ... > > "5. verify that all of the information that is included in SSL > > certificates remains current and correct at time intervals of 825 days > > or less;" > > > > When we update Mozilla's Root Store Policy, should we shorten the domain > > validation frequency to be in line with the shortened certificate > > validity period? i.e. change item 5 in section 2.1 of Mozilla's Root > > Store Policy to: > > "5. limit the validity period and re-use of domain validation for SSL > > certificates to 398 days or less if the certificate is issued on or > > after September 1, 2020;" > > > > I realize that in order to enforce shorter frequency in domain > > validation we will need to get this change into the BRs and into the > > audit criteria. But CAs are expected to follow Mozilla's Root Store > > Policy regardless of enforcement mechanisms, and having this in our > > policy would make Mozilla's intentions clear. > > > > As always, I will greatly appreciate your thoughtful and constructive > > input on this. > > > > Thanks, > > Kathleen > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
