Hi Doug, It means the same thing as in the BRs. I am processing this change on a parallel track with adding language to the BRs (Ballot SC42) because neither change is a done deal yet. We'll leave it in for now, not to say that we won't eventually remove it in a subsequent update. Thanks, Ben
On Fri, Mar 19, 2021 at 10:26 AM Ryan Sleevi <r...@sleevi.com> wrote: > The S/MIME BRs are not yet a thing, while the current language covers such > CAs (as a condition of Mozilla inclusion) > > On Fri, Mar 19, 2021 at 6:45 AM Doug Beattie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Thanks Ben. >> >> >> >> What’s the purpose of this statement: >> >> 5. verify that all of the information that is included in server >> certificates remains current and correct at intervals of 825 days or less; >> >> >> >> The BRs limit data reuse to 825 days since March 2018 so I don’t think >> this adds anything. If it does mean something more than that, can you >> update to make it more clear? >> >> >> >> >> >> From: Ben Wilson <bwil...@mozilla.com> >> Sent: Thursday, March 18, 2021 2:53 PM >> To: Doug Beattie <doug.beat...@globalsign.com> >> Cc: mozilla-dev-security-policy < >> mozilla-dev-security-pol...@lists.mozilla.org> >> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name >> verification to 398 days >> >> >> >> I've edited the proposed subsection 5.1 and have left section 5 in for >> now. See >> >> >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232 >> >> >> >> On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson <bwil...@mozilla.com <mailto: >> bwil...@mozilla.com> > wrote: >> >> That works, too. Thoughts? >> >> >> >> On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie <doug.beat...@globalsign.com >> <mailto:doug.beat...@globalsign.com> > wrote: >> >> Hi Ben, >> >> Regarding the redlined spec: >> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6 >> >> Is this a meaningful statement given max validity is 398 days now? >> 5. verify that all of the information that is included in server >> certificates remains current and correct at intervals of 825 days or less; >> I think we can remove that and them move 5.1 to item 5 >> >> I find the words for this requirement 5.1 unclear. >> >> " 5.1. for server certificates issued on or after October 1, 2021, >> verify each dNSName or IPAddress in a SAN or commonName at an interval of >> 398 days or less;" >> >> Can we say: >> "5.1. for server certificates issued on or after October 1, 2021, each >> dNSName or IPAddress in a SAN or commonName MUST have been validated <in >> accordance with the CABF Baseline Requirements?> within the prior 398 days. >> >> >> >> -----Original Message----- >> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org >> <mailto:dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of >> Ben Wilson via dev-security-policy >> Sent: Monday, March 8, 2021 6:38 PM >> To: mozilla-dev-security-policy < >> mozilla-dev-security-pol...@lists.mozilla.org <mailto: >> mozilla-dev-security-pol...@lists.mozilla.org> > >> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name >> verification to 398 days >> >> All, >> >> Here is the currently proposed wording for subsection 5.1 of MRSP section >> 2.1: >> >> " 5.1. for server certificates issued on or after October 1, 2021, verify >> each dNSName or IPAddress in a SAN or commonName at an interval of 398 days >> or less;" >> >> Ben >> >> On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi <r...@sleevi.com <mailto: >> r...@sleevi.com> > wrote: >> >> > >> > >> > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < >> > dev-security-policy@lists.mozilla.org <mailto: >> dev-security-policy@lists.mozilla.org> > wrote: >> > >> >> I think it makes sense to separate out the date for domain validation >> >> expiration from the issuance of server certificates with previously >> >> validated domain names, but agree with Ben that the timeline doesn’t >> >> seem to need to be prolonged. What about something like this: >> >> >> >> 1. Domain name or IP address verifications performed on or after July >> >> 1, >> >> 2021 may be reused for a maximum of 398 days. >> >> 2. Server certificates issued on or after September 1, 2021 must have >> >> completed domain name or IP address verification within the preceding >> >> 398 days. >> >> >> >> This effectively stretches the “cliff” out across ~6 months (now >> >> through the end of August), which seems reasonable. >> >> >> > >> > Yeah, that does sound reasonable. >> > >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org <mailto: >> dev-security-policy@lists.mozilla.org> >> https://lists.mozilla.org/listinfo/dev-security-policy >> >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy