The S/MIME BRs are not yet a thing, while the current language covers such CAs (as a condition of Mozilla inclusion)
On Fri, Mar 19, 2021 at 6:45 AM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks Ben. > > > > What’s the purpose of this statement: > > 5. verify that all of the information that is included in server > certificates remains current and correct at intervals of 825 days or less; > > > > The BRs limit data reuse to 825 days since March 2018 so I don’t think > this adds anything. If it does mean something more than that, can you > update to make it more clear? > > > > > > From: Ben Wilson <bwil...@mozilla.com> > Sent: Thursday, March 18, 2021 2:53 PM > To: Doug Beattie <doug.beat...@globalsign.com> > Cc: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name > verification to 398 days > > > > I've edited the proposed subsection 5.1 and have left section 5 in for > now. See > > > https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232 > > > > On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson <bwil...@mozilla.com <mailto: > bwil...@mozilla.com> > wrote: > > That works, too. Thoughts? > > > > On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie <doug.beat...@globalsign.com > <mailto:doug.beat...@globalsign.com> > wrote: > > Hi Ben, > > Regarding the redlined spec: > https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6 > > Is this a meaningful statement given max validity is 398 days now? > 5. verify that all of the information that is included in server > certificates remains current and correct at intervals of 825 days or less; > I think we can remove that and them move 5.1 to item 5 > > I find the words for this requirement 5.1 unclear. > > " 5.1. for server certificates issued on or after October 1, 2021, > verify each dNSName or IPAddress in a SAN or commonName at an interval of > 398 days or less;" > > Can we say: > "5.1. for server certificates issued on or after October 1, 2021, each > dNSName or IPAddress in a SAN or commonName MUST have been validated <in > accordance with the CABF Baseline Requirements?> within the prior 398 days. > > > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org > <mailto:dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ben > Wilson via dev-security-policy > Sent: Monday, March 8, 2021 6:38 PM > To: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org <mailto: > mozilla-dev-security-pol...@lists.mozilla.org> > > Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name > verification to 398 days > > All, > > Here is the currently proposed wording for subsection 5.1 of MRSP section > 2.1: > > " 5.1. for server certificates issued on or after October 1, 2021, verify > each dNSName or IPAddress in a SAN or commonName at an interval of 398 days > or less;" > > Ben > > On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi <r...@sleevi.com <mailto: > r...@sleevi.com> > wrote: > > > > > > > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < > > dev-security-policy@lists.mozilla.org <mailto: > dev-security-policy@lists.mozilla.org> > wrote: > > > >> I think it makes sense to separate out the date for domain validation > >> expiration from the issuance of server certificates with previously > >> validated domain names, but agree with Ben that the timeline doesn’t > >> seem to need to be prolonged. What about something like this: > >> > >> 1. Domain name or IP address verifications performed on or after July > >> 1, > >> 2021 may be reused for a maximum of 398 days. > >> 2. Server certificates issued on or after September 1, 2021 must have > >> completed domain name or IP address verification within the preceding > >> 398 days. > >> > >> This effectively stretches the “cliff” out across ~6 months (now > >> through the end of August), which seems reasonable. > >> > > > > Yeah, that does sound reasonable. > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org <mailto: > dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
