On Tue, Mar 28, 2017 at 8:52 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > While this has apparently already passed, the earlier date for > requiring revalidation is going to be a problem for any CA that has > already sold a large number (thousands, millions) of prepaid 3 year > contracts based on the assumption that validation costs would be > incurred by the CA only once during the contract period. > It's unclear to me the point you're trying to make with this comment, so I'm hoping you can expand. It sounds like you're just making a position statement, and not asking Mozilla to change or reconsider anything that was already considered. Is that a correct understanding? That is, given that Gerv is asking for feedback, it's unclear whether you're offering the feedback for change, or just making statements. Given that you're talking about "future consideration", it sounds like that's best directed to the CA/Browser Forum, and given that the CAs affected voted in favour of it, it doesn't sound like they agree with your analysis, but I could be mistaken. > Note that it is very common for all the underlying validity information > to be fixed for 2 or more years (for example domain registrations, > company registrations etc.), providing little reason to impose the > inconvenience and cost of short certificate lifespans onto every > ongoing business and every personal website on the planet. I think including domain registrations in that would be a stretch that borderlines inaccurate, and thus while it may impose some degree of inconvenience over the status quo, it will also significantly improve security. While a domain may be registered for a number of years, there's no guarantee as to the frequency of that information being updated, and there's no guarantee that the domain holder's contact information won't change during the operation, thus there is a great benefit for ensuring it's revalidated. To the general point that different aspects of different information require different revalidation periods, I'm on record in the CA/Browser Forum as agreeing with that sentiment, as my goal with 186 is post-readoption of the 169/182 methods of validation, the lifetime of reuse will be appropriately scoped to the method used to validate that information. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
