The purpose of this email is to begin public discussion on a modification to subsection 5 in section 2.1 of the Mozilla Root Store Policy.
Issue #206 <https://github.com/mozilla/pkipolicy/issues/206> in GitHub discusses the need to bring the reuse period for domain validation in line with the certificate issuance validity cycle of 398 days (as set forth in section 6.3.2 of the Baseline Requirements). This proposal is not to say that Mozilla is not also contemplating a ballot in the CA/Browser Forum that would introduce similar language to the Baseline Requirements. Any potential CABF endorsers of such a ballot should reach out to me off-list. Currently, subsection 5 of section 2.1 of the Mozilla Root Store Policy (MRSP) states that a CA must “verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 825 days or less;” It is proposed that a subsection 5.1 be added to this subsection to require that, for subjectAltName verifications of dNSNames or IPAddresses performed on or after July 1, 2021, CAs verify the dNSName or IPAddress at intervals of 398 days or less. Proposed language may be found in the following commit: https://github.com/BenWilson-Mozilla/pkipolicy/commit/b7b53eea3a0af1503f3c99632ba22efc9e86bee2 Restated here, the proposed language for subsection 5.1 of section 2.1 is: "for subjectAltName verifications of dNSNames and IPAddresses performed on or after July 1, 2021, verify that each dNSName or IPAddress is current and correct at intervals of 398 days or less;" I look forward to your comments, suggestions and discussions. Thanks, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
