See responses inline below: On Tue, Dec 1, 2020 at 11:40 AM Doug Beattie <doug.beat...@globalsign.com> wrote:
> Hi Ben, > > For now I won’t comment on the 398 day limit or the date which you propose > this to take effect (July 1, 2021), but on the ability of CAs to re-use > domain validations completed prior to 1 July for their full 825 re-use > period. I'm assuming that the 398 day limit is only for those domain > validated on or after 1 July, 2021. Maybe that is your intent, but the > wording is not clear (it's never been all that clear) > Yes. (I agree that the wording is currently unclear and can be improved, which I'll work on as discussion progresses.) That is the intent - for certificates issued beginning next July--new validations would be valid for 398 days, but existing, reused validations would be sunsetted and could be used for up to 825 days (let's say, until Oct. 1, 2023, which I'd advise against, given the benefits of freshness provided by re-performing methods in BR 3.2.2.4 and BR 3.2.2.5). > > Could you consider changing it to read more like this (feel free to edit > as needed): > > CAs may re-use domain validation for subjectAltName verifications of > dNSNames and IPAddresses done prior to July 1, 2021 for up to 825 days <in > accordance with domain validation re-use in the BRs, section 4.2.1>. CAs > MUST limit domain re-use for subjectAltName verifications of dNSNames and > IPAddresses to 398 days for domains validated on or after July 1, 2021. > Thanks. I am open to all suggestions and improvements to the language. I'll see how this can be phrased appropriately to reduce the chance for misinterpretation. > > From a CA perspective, I don't have any major concerns with shortening the > domain re-use periods, but customers do/will. Will there be a Mozilla blog > that outlines the security improvements with cutting the re-use period in > half and why July 2021 is the right time? > Yes. I'll prepare a blog post that outlines the security improvements to be obtained by shortening the reuse period. (E.g., certificates should not contain stale information.) July 2021 was chosen because I figured April 2021 would be too soon. It also allows CAs to schedule any needed system work during Q2/2021. In my opinion, Oct. 2023 is a considerably long tail for this change, and existing domains/customers should not be affected until then. Cheers, Ben > > Doug > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ben Wilson via dev-security-policy > Sent: Monday, November 30, 2020 2:27 PM > To: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name > verification to 398 days > > The purpose of this email is to begin public discussion on a modification > to subsection 5 in section 2.1 of the Mozilla Root Store Policy. > > Issue #206 <https://github.com/mozilla/pkipolicy/issues/206> in GitHub > discusses the need to bring the reuse period for domain validation in line > with the certificate issuance validity cycle of 398 days (as set forth in > section 6.3.2 of the Baseline Requirements). This proposal is not to say > that Mozilla is not also contemplating a ballot in the CA/Browser Forum > that would introduce similar language to the Baseline Requirements. Any > potential CABF endorsers of such a ballot should reach out to me off-list. > > Currently, subsection 5 of section 2.1 of the Mozilla Root Store Policy > (MRSP) states that a CA must “verify that all of the information that is > included in SSL certificates remains current and correct at time intervals > of 825 days or less;” > > It is proposed that a subsection 5.1 be added to this subsection to > require that, for subjectAltName verifications of dNSNames or IPAddresses > performed on or after July 1, 2021, CAs verify the dNSName or IPAddress at > intervals of 398 days or less. > Proposed language may be found in the following commit: > > > https://github.com/BenWilson-Mozilla/pkipolicy/commit/b7b53eea3a0af1503f3c99632ba22efc9e86bee2 > Restated here, the proposed language for subsection 5.1 of section 2.1 is: > > "for subjectAltName verifications of dNSNames and IPAddresses performed on > or after July 1, 2021, verify that each dNSName or IPAddress is current and > correct at intervals of 398 days or less;" > > I look forward to your comments, suggestions and discussions. > > Thanks, > > Ben > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
