Hi Ben, Regarding the redlined spec: https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6
Is this a meaningful statement given max validity is 398 days now? 5. verify that all of the information that is included in server certificates remains current and correct at intervals of 825 days or less; I think we can remove that and them move 5.1 to item 5 I find the words for this requirement 5.1 unclear. " 5.1. for server certificates issued on or after October 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;" Can we say: "5.1. for server certificates issued on or after October 1, 2021, each dNSName or IPAddress in a SAN or commonName MUST have been validated <in accordance with the CABF Baseline Requirements?> within the prior 398 days. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Ben Wilson via dev-security-policy Sent: Monday, March 8, 2021 6:38 PM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days All, Here is the currently proposed wording for subsection 5.1 of MRSP section 2.1: " 5.1. for server certificates issued on or after October 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;" Ben On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi <r...@sleevi.com> wrote: > > > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I think it makes sense to separate out the date for domain validation >> expiration from the issuance of server certificates with previously >> validated domain names, but agree with Ben that the timeline doesn’t >> seem to need to be prolonged. What about something like this: >> >> 1. Domain name or IP address verifications performed on or after July >> 1, >> 2021 may be reused for a maximum of 398 days. >> 2. Server certificates issued on or after September 1, 2021 must have >> completed domain name or IP address verification within the preceding >> 398 days. >> >> This effectively stretches the “cliff” out across ~6 months (now >> through the end of August), which seems reasonable. >> > > Yeah, that does sound reasonable. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy