To: Kathleen Wilson ; Mozilla
Subject: RE: About upcoming limits on trusted certificates
> On 3/11/20 3:51 PM, Paul Walsh wrote:
> > Can you provide some insight to why you think a shorter frequency in
> domain validation would be beneficial?
>
> To start with, it is common
Thanks to all of you who have participated in this discussion. We plan
to begin work on a minor update (version 2.7.1) to Mozilla's Root Store
Policy soon. In response to this discussion, the following two issues
have been created and labelled for 2.7.1.
Wayne filed
> On 3/11/20 3:51 PM, Paul Walsh wrote:
> > Can you provide some insight to why you think a shorter frequency in
> domain validation would be beneficial?
>
> To start with, it is common for a domain name to be purchased for one year.
> A certificate owner that was able to prove ownership/control
On Wed, 11 Mar 2020 15:39:34 -0700
Kathleen Wilson via dev-security-policy
wrote:
> What do you all think about also limiting the re-use of domain
> validation?
I'm strongly in favor of this change, and think domain validation reuse
should eventually be limited to a period much shorter than one
On Mon, Mar 16, 2020 at 11:13 AM Doug Beattie
wrote:
> For clarity, I think we need to discuss all the knobs along with proposed
> effective dates and usage periods so we get the whole picture.
>
I disagree with this framing, as I have pointed out it's been repeatedly
used disingenuously by
16, 2020 10:27 AM
To: Doug Beattie
Cc: r...@sleevi.com; Kathleen Wilson ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: About upcoming limits on trusted certificates
No, I don't think we should assume anything, since it doesn't say anything
about lifetime :)
The value
>
> *From:* Ryan Sleevi
> *Sent:* Monday, March 16, 2020 10:02 AM
> *To:* Doug Beattie
> *Cc:* r...@sleevi.com; Kathleen Wilson ;
> mozilla-dev-security-pol...@lists.mozilla.org
> *Subject:* Re: About upcoming limits on trusted certificates
>
>
>
> Hi Doug,
>
>
Are we to assume that the maximum certificate validity remains at 398 days?
From: Ryan Sleevi
Sent: Monday, March 16, 2020 10:02 AM
To: Doug Beattie
Cc: r...@sleevi.com; Kathleen Wilson ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: About upcoming limits on trusted
Hi Doug,
Perhaps it got mangled by your mail client, but I think I had that covered?
I've pasted it again, below.
Counter proposal:
April 2021: 395 day domain validation max
April 2021: 366 day organization validation max
April 2022: 92 day domain validation max
September 2022: 31 day domain
Wilson ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: About upcoming limits on trusted certificates
On Fri, Mar 13, 2020 at 2:38 PM Doug Beattie via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org> > wrote:
When we moved to SHA2 knew of security ri
On 14/03/2020 18:53, Nick Lamb wrote:
my assumption is that at
best such a patch would be in the big pile of volunteer stuff maybe
nobody has time to look at.
Tangential: perhaps there's an aspect of phrasing here that is confusing
me, but this reads to me as suggesting we don't review/work
On Sat, Mar 14, 2020 at 2:54 PM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, 5 Mar 2020 14:15:17 +
> Nick Lamb via dev-security-policy
> wrote:
>
> > There is some value in policy alone but there's also substantial
> > independent value in
On Thu, 5 Mar 2020 14:15:17 +
Nick Lamb via dev-security-policy
wrote:
> There is some value in policy alone but there's also substantial
> independent value in writing the policy into the code. Would Mozilla
> accept third party work to implement something like #908125 ? I
> appreciate you
On Fri, Mar 13, 2020 at 2:38 PM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> When we moved to SHA2 knew of security risks so the timeline could be
> justified, however, I don’t see the same pressing need to move to annual
> domain revalidation and 1 year
On Wednesday, March 11, 2020 at 4:11:56 PM UTC-7, Kathleen Wilson wrote:
> To start with, it is common for a domain name to be purchased for one
> year. A certificate owner that was able to prove ownership/control of
> the domain name last year might not have renewed the domain name. So why
>
ozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: About upcoming limits on trusted certificates
On 3/12/20 5:52 AM, Doug Beattie wrote:
> Changing the domain validation re-user period is a substantial change from
> the Apple proposed max validity period change and will place an addi
On 3/12/20 5:52 AM, Doug Beattie wrote:
Changing the domain validation re-user period is a substantial change from the Apple proposed max validity period change and will place an additional burden on certificate Applicants to update their domain validation more than twice as frequently.
On Thu, Mar 12, 2020 at 10:58 AM Jeremy Rowley
wrote:
> I think this statement is not accurate: "As a result, CAs don’t pursue
> automation, or when they support it, neither promote nor require it." I
> know very few CAs who want to spend extra resources on manual validations
> and just as few
Sleevi via dev-security-policy
Sent: Thursday, March 12, 2020 7:30 AM
To: Julien Cristau
Cc: Mozilla ; Kathleen Wilson
Subject: Re: About upcoming limits on trusted certificates
The Baseline Requirements allow a number of methods that aren’t easily
automated, such as validation via email. A
The Baseline Requirements allow a number of methods that aren’t easily
automated, such as validation via email. As a result, CAs don’t pursue
automation, or when they support it, neither promote nor require it. This
leads CAs to be opposed to efforts to shorten the reuse time, as they have
: dev-security-policy On
Behalf Of Kathleen Wilson via dev-security-policy
Sent: Wednesday, March 11, 2020 8:29 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: About upcoming limits on trusted certificates
On 3/11/20 4:37 PM, Paul Walsh wrote:
>
>> On Mar 11, 2020, a
Hi Kathleen, all,
Is there a reason domain validation information needs to be reused for more
than, say, 30 days? For the manual parts of identity validation I
understand you don't want to repeat the process too often, but domain
validation can be entirely automated so it doesn't seem like long
Thanks for the clarification, Kathleen. I tried my best not to make
assumptions.
- Paul
> On Mar 11, 2020, at 5:28 PM, Kathleen Wilson via dev-security-policy
> wrote:
>
> On 3/11/20 4:37 PM, Paul Walsh wrote:
On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy
On 3/11/20 4:37 PM, Paul Walsh wrote:
On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy
wrote:
On 3/11/20 3:51 PM, Paul Walsh wrote:
Can you provide some insight to why you think a shorter frequency in domain
validation would be beneficial?
[PW] If the owner’s identity
> On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy
> wrote:
>
> On 3/11/20 3:51 PM, Paul Walsh wrote:
>> Can you provide some insight to why you think a shorter frequency in domain
>> validation would be beneficial?
>
> To start with, it is common for a domain name to be
On 3/11/20 3:51 PM, Paul Walsh wrote:
Can you provide some insight to why you think a shorter frequency in domain validation would be beneficial?
To start with, it is common for a domain name to be purchased for one
year. A certificate owner that was able to prove ownership/control of
the
Hi Kathleen,
Can you provide some insight to why you think a shorter frequency in domain
validation would be beneficial? At the very least it deserves a new thread as
the potential impact could be significant.
And out of curiosity, why not raise your question inside the CA/Browser forum
if
All,
First, I would like to say that my preference would have been for this
type of change (limit SSL cert validity period to 398 days) to be agreed
to in the CA/Browser Forum and added to the BRs. However, the ball is
already rolling, and discussion here in m.d.s.p is supportive of
updating
On Tuesday, March 3, 2020 at 12:28:20 PM UTC-8, Wayne Thayer wrote:
> Thank you for sharing this Clint.
>
> I'd like to ask for input from the community: is this a requirement that we
> should add to the Mozilla policy at this time (effective September 1, 2020)?
Of course. And 180 days next
On Wed, 4 Mar 2020 16:41:09 -0700
Wayne Thayer via dev-security-policy
wrote:
> I'm fairly certain that there is no validity period enforcement in
> Firefox. The request is
> https://bugzilla.mozilla.org/show_bug.cgi?id=908125 I'm also not in a
> position to commit Mozilla to technical
On Wed, Mar 4, 2020 at 11:48 AM Nick Lamb wrote:
> On Tue, 3 Mar 2020 13:27:59 -0700
> Wayne Thayer via dev-security-policy
> wrote:
>
> > I'd like to ask for input from the community: is this a requirement
> > that we should add to the Mozilla policy at this time (effective
> > September 1,
Hi Clint,
The content of your email, the blog post and the Apple root policy all say
something a little different and may leave some room for interpretation by
the CAs. As it stands, things are a bit confused. Here's why:
Your mail is a little light on the details. While you say this is an
On Tue, 3 Mar 2020 13:27:59 -0700
Wayne Thayer via dev-security-policy
wrote:
> I'd like to ask for input from the community: is this a requirement
> that we should add to the Mozilla policy at this time (effective
> September 1, 2020)?
If Mozilla adds this as a policy requirement it should
On Tue, Mar 03, 2020 at 01:53:49PM -0800, Clint Wilson wrote:
> On Mar 3, 2020, at 1:41 PM, Matt Palmer via dev-security-policy
> wrote:
> > On Tue, Mar 03, 2020 at 11:55:24AM -0800, Clint Wilson via
> > dev-security-policy wrote:
> >> For additional information, please see
> >>
Hi Matt,
This is determined using the notBefore value in the certificate; if the
notBefore value is greater than or equal to September 1, 2020 00:00 GMT/UTC,
then the updated policy will apply.
Cheers,
-Clint
> On Mar 3, 2020, at 1:41 PM, Matt Palmer via dev-security-policy
> wrote:
>
> On
On Tue, Mar 03, 2020 at 01:27:59PM -0700, Wayne Thayer via dev-security-policy
wrote:
> I'd like to ask for input from the community: is this a requirement that we
> should add to the Mozilla policy at this time (effective September 1, 2020)?
I don't see any reason not to.
- Matt
On Tue, Mar 03, 2020 at 11:55:24AM -0800, Clint Wilson via dev-security-policy
wrote:
> For additional information, please see
> https://support.apple.com/en-us/HT211025.
I have a question regarding this part:
> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC
> must
Thank you for sharing this Clint.
I'd like to ask for input from the community: is this a requirement that we
should add to the Mozilla policy at this time (effective September 1, 2020)?
You may recall that a 398-day maximum validity for TLS certificates was
proposed to the CA/Browser Forum by
38 matches
Mail list logo