I've edited the proposed subsection 5.1 and have left section 5 in for now. See https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232
On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson <bwil...@mozilla.com> wrote: > That works, too. Thoughts? > > On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie <doug.beat...@globalsign.com> > wrote: > >> Hi Ben, >> >> Regarding the redlined spec: >> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6 >> >> Is this a meaningful statement given max validity is 398 days now? >> 5. verify that all of the information that is included in server >> certificates remains current and correct at intervals of 825 days or less; >> I think we can remove that and them move 5.1 to item 5 >> >> I find the words for this requirement 5.1 unclear. >> >> " 5.1. for server certificates issued on or after October 1, 2021, >> verify each dNSName or IPAddress in a SAN or commonName at an interval of >> 398 days or less;" >> >> Can we say: >> "5.1. for server certificates issued on or after October 1, 2021, each >> dNSName or IPAddress in a SAN or commonName MUST have been validated <in >> accordance with the CABF Baseline Requirements?> within the prior 398 days. >> >> >> >> -----Original Message----- >> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> >> On Behalf Of Ben Wilson via dev-security-policy >> Sent: Monday, March 8, 2021 6:38 PM >> To: mozilla-dev-security-policy < >> mozilla-dev-security-pol...@lists.mozilla.org> >> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name >> verification to 398 days >> >> All, >> >> Here is the currently proposed wording for subsection 5.1 of MRSP section >> 2.1: >> >> " 5.1. for server certificates issued on or after October 1, 2021, verify >> each dNSName or IPAddress in a SAN or commonName at an interval of 398 days >> or less;" >> >> Ben >> >> On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi <r...@sleevi.com> wrote: >> >> > >> > >> > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < >> > dev-security-policy@lists.mozilla.org> wrote: >> > >> >> I think it makes sense to separate out the date for domain validation >> >> expiration from the issuance of server certificates with previously >> >> validated domain names, but agree with Ben that the timeline doesn’t >> >> seem to need to be prolonged. What about something like this: >> >> >> >> 1. Domain name or IP address verifications performed on or after July >> >> 1, >> >> 2021 may be reused for a maximum of 398 days. >> >> 2. Server certificates issued on or after September 1, 2021 must have >> >> completed domain name or IP address verification within the preceding >> >> 398 days. >> >> >> >> This effectively stretches the “cliff” out across ~6 months (now >> >> through the end of August), which seems reasonable. >> >> >> > >> > Yeah, that does sound reasonable. >> > >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy