date:20210319

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

2021-03-19 Thread Ben Wilson via dev-security-policy

Hi Doug,
It means the same thing as in the BRs. I am processing this change on a
parallel track with adding language to the BRs (Ballot SC42) because
neither change is a done deal yet.  We'll leave it in for now, not to say
that we won't eventually remove it in a subsequent update.
Thanks,
Ben

On Fri, Mar 19, 2021 at 10:26 AM Ryan Sleevi  wrote:

> The S/MIME BRs are not yet a thing, while the current language covers such
> CAs (as a condition of Mozilla inclusion)
>
> On Fri, Mar 19, 2021 at 6:45 AM Doug Beattie via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Thanks Ben.
>>
>>
>>
>> What’s the purpose of this statement:
>>
>> 5. verify that all of the information that is included in server
>> certificates remains current and correct at intervals of 825 days or less;
>>
>>
>>
>> The BRs limit data reuse to 825 days since March 2018 so I don’t think
>> this adds anything.  If it does mean something more than that, can you
>> update to make it more clear?
>>
>>
>>
>>
>>
>> From: Ben Wilson 
>> Sent: Thursday, March 18, 2021 2:53 PM
>> To: Doug Beattie 
>> Cc: mozilla-dev-security-policy <
>> mozilla-dev-security-pol...@lists.mozilla.org>
>> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name
>> verification to 398 days
>>
>>
>>
>> I've edited the proposed subsection 5.1 and have left section 5 in for
>> now.  See
>>
>>
>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232
>>
>>
>>
>> On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson > bwil...@mozilla.com> > wrote:
>>
>> That works, too.  Thoughts?
>>
>>
>>
>> On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie >  > wrote:
>>
>> Hi Ben,
>>
>> Regarding the redlined spec:
>> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6
>>
>> Is this a meaningful statement given max validity is 398 days now?
>>5. verify that all of the information that is included in server
>> certificates remains current and correct at intervals of 825 days or less;
>> I think we can remove that and them move 5.1 to item 5
>>
>> I find the words for this requirement 5.1 unclear.
>>
>>   " 5.1. for server certificates issued on or after October 1, 2021,
>> verify each dNSName or IPAddress in a SAN or commonName at an interval of
>> 398 days or less;"
>>
>> Can we say:
>> "5.1. for server certificates issued on or after October 1, 2021, each
>> dNSName or IPAddress in a SAN or commonName MUST have been validated > accordance with the CABF Baseline Requirements?> within the prior 398 days.
>>
>>
>>
>> -Original Message-
>> From: dev-security-policy >  > On Behalf Of
>> Ben Wilson via dev-security-policy
>> Sent: Monday, March 8, 2021 6:38 PM
>> To: mozilla-dev-security-policy <
>> mozilla-dev-security-pol...@lists.mozilla.org > mozilla-dev-security-pol...@lists.mozilla.org> >
>> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name
>> verification to 398 days
>>
>> All,
>>
>> Here is the currently proposed wording for subsection 5.1 of MRSP section
>> 2.1:
>>
>> " 5.1. for server certificates issued on or after October 1, 2021, verify
>> each dNSName or IPAddress in a SAN or commonName at an interval of 398 days
>> or less;"
>>
>> Ben
>>
>> On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi > r...@sleevi.com> > wrote:
>>
>> >
>> >
>> > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy <
>> > dev-security-policy@lists.mozilla.org > dev-security-policy@lists.mozilla.org> > wrote:
>> >
>> >> I think it makes sense to separate out the date for domain validation
>> >> expiration from the issuance of server certificates with previously
>> >> validated domain names, but agree with Ben that the timeline doesn’t
>> >> seem to need to be prolonged. What about something like this:
>> >>
>> >> 1. Domain name or IP address verifications performed on or after July
>> >> 1,
>> >> 2021 may be reused for a maximum of 398 days.
>> >> 2. Server certificates issued on or after September 1, 2021 must have
>> >> completed domain name or IP address verification within the preceding
>> >> 398 days.
>> >>
>> >> This effectively stretches the “cliff” out across ~6 months (now
>> >> through the end of August), which seems reasonable.
>> >>
>> >
>> > Yeah, that does sound reasonable.
>> >
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org > dev-security-policy@lists.mozilla.org>
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
___
dev-security-policy mailing list

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

2021-03-19 Thread Ryan Sleevi via dev-security-policy

The S/MIME BRs are not yet a thing, while the current language covers such
CAs (as a condition of Mozilla inclusion)

On Fri, Mar 19, 2021 at 6:45 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Thanks Ben.
>
>
>
> What’s the purpose of this statement:
>
> 5. verify that all of the information that is included in server
> certificates remains current and correct at intervals of 825 days or less;
>
>
>
> The BRs limit data reuse to 825 days since March 2018 so I don’t think
> this adds anything.  If it does mean something more than that, can you
> update to make it more clear?
>
>
>
>
>
> From: Ben Wilson 
> Sent: Thursday, March 18, 2021 2:53 PM
> To: Doug Beattie 
> Cc: mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name
> verification to 398 days
>
>
>
> I've edited the proposed subsection 5.1 and have left section 5 in for
> now.  See
>
>
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232
>
>
>
> On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson  bwil...@mozilla.com> > wrote:
>
> That works, too.  Thoughts?
>
>
>
> On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie   > wrote:
>
> Hi Ben,
>
> Regarding the redlined spec:
> https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6
>
> Is this a meaningful statement given max validity is 398 days now?
>5. verify that all of the information that is included in server
> certificates remains current and correct at intervals of 825 days or less;
> I think we can remove that and them move 5.1 to item 5
>
> I find the words for this requirement 5.1 unclear.
>
>   " 5.1. for server certificates issued on or after October 1, 2021,
> verify each dNSName or IPAddress in a SAN or commonName at an interval of
> 398 days or less;"
>
> Can we say:
> "5.1. for server certificates issued on or after October 1, 2021, each
> dNSName or IPAddress in a SAN or commonName MUST have been validated  accordance with the CABF Baseline Requirements?> within the prior 398 days.
>
>
>
> -Original Message-
> From: dev-security-policy   > On Behalf Of Ben
> Wilson via dev-security-policy
> Sent: Monday, March 8, 2021 6:38 PM
> To: mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org  mozilla-dev-security-pol...@lists.mozilla.org> >
> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name
> verification to 398 days
>
> All,
>
> Here is the currently proposed wording for subsection 5.1 of MRSP section
> 2.1:
>
> " 5.1. for server certificates issued on or after October 1, 2021, verify
> each dNSName or IPAddress in a SAN or commonName at an interval of 398 days
> or less;"
>
> Ben
>
> On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi  r...@sleevi.com> > wrote:
>
> >
> >
> > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy <
> > dev-security-policy@lists.mozilla.org  dev-security-policy@lists.mozilla.org> > wrote:
> >
> >> I think it makes sense to separate out the date for domain validation
> >> expiration from the issuance of server certificates with previously
> >> validated domain names, but agree with Ben that the timeline doesn’t
> >> seem to need to be prolonged. What about something like this:
> >>
> >> 1. Domain name or IP address verifications performed on or after July
> >> 1,
> >> 2021 may be reused for a maximum of 398 days.
> >> 2. Server certificates issued on or after September 1, 2021 must have
> >> completed domain name or IP address verification within the preceding
> >> 398 days.
> >>
> >> This effectively stretches the “cliff” out across ~6 months (now
> >> through the end of August), which seems reasonable.
> >>
> >
> > Yeah, that does sound reasonable.
> >
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org  dev-security-policy@lists.mozilla.org>
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

2021-03-19 Thread Doug Beattie via dev-security-policy

Thanks Ben.

What’s the purpose of this statement:

5. verify that all of the information that is included in server certificates 
remains current and correct at intervals of 825 days or less;

The BRs limit data reuse to 825 days since March 2018 so I don’t think this 
adds anything.  If it does mean something more than that, can you update to 
make it more clear?

From: Ben Wilson  
Sent: Thursday, March 18, 2021 2:53 PM
To: Doug Beattie 
Cc: mozilla-dev-security-policy 
Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name 
verification to 398 days

I've edited the proposed subsection 5.1 and have left section 5 in for now.  
See 

https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232

On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson mailto:bwil...@mozilla.com> > wrote:

That works, too.  Thoughts?

On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie mailto:doug.beat...@globalsign.com> > wrote:

Hi Ben,

Regarding the redlined spec: 
https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6

Is this a meaningful statement given max validity is 398 days now? 
   5. verify that all of the information that is included in server 
certificates remains current and correct at intervals of 825 days or less;
I think we can remove that and them move 5.1 to item 5

I find the words for this requirement 5.1 unclear. 

  " 5.1. for server certificates issued on or after October 1, 2021, verify 
each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or 
less;"

Can we say:
"5.1. for server certificates issued on or after October 1, 2021, each dNSName 
or IPAddress in a SAN or commonName MUST have been validated  within the prior 398 days.

-Original Message-
From: dev-security-policy mailto:dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ben 
Wilson via dev-security-policy
Sent: Monday, March 8, 2021 6:38 PM
To: mozilla-dev-security-policy mailto:mozilla-dev-security-pol...@lists.mozilla.org> >
Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name 
verification to 398 days

All,

Here is the currently proposed wording for subsection 5.1 of MRSP section
2.1:

" 5.1. for server certificates issued on or after October 1, 2021, verify each 
dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;"

Ben

On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi mailto:r...@sleevi.com> > wrote:

>
>
> On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < 
> dev-security-policy@lists.mozilla.org 
>  > wrote:
>
>> I think it makes sense to separate out the date for domain validation 
>> expiration from the issuance of server certificates with previously 
>> validated domain names, but agree with Ben that the timeline doesn’t 
>> seem to need to be prolonged. What about something like this:
>>
>> 1. Domain name or IP address verifications performed on or after July 
>> 1,
>> 2021 may be reused for a maximum of 398 days.
>> 2. Server certificates issued on or after September 1, 2021 must have 
>> completed domain name or IP address verification within the preceding 
>> 398 days.
>>
>> This effectively stretches the “cliff” out across ~6 months (now 
>> through the end of August), which seems reasonable.
>>
>
> Yeah, that does sound reasonable.
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 

https://lists.mozilla.org/listinfo/dev-security-policy

smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

RE: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days

3 matches

Site Navigation

Mail list logo

Footer information