On Tue, Mar 28, 2017 at 8:52 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>
> While this has apparently already passed, the earlier date for
> requiring revalidation is going to be a problem for any CA that has
> already sold a large number (thousands, millions) of prepaid 3 year
> contracts based on the assumption that validation costs would be
> incurred by the CA only once during the contract period.
>

It's unclear to me the point you're trying to make with this comment, so
I'm hoping you can expand. It sounds like you're just making a position
statement, and not asking Mozilla to change or reconsider anything that was
already considered. Is that a correct understanding?

That is, given that Gerv is asking for feedback, it's unclear whether
you're offering the feedback for change, or just making statements. Given
that you're talking about "future consideration", it sounds like that's
best directed to the CA/Browser Forum, and given that the CAs affected
voted in favour of it, it doesn't sound like they agree with your analysis,
but I could be mistaken.


> Note that it is very common for all the underlying validity information
> to be fixed for 2 or more years (for example domain registrations,
> company registrations etc.), providing little reason to impose the
> inconvenience and cost of short certificate lifespans onto every
> ongoing business and every personal website on the planet.


I think including domain registrations in that would be a stretch that
borderlines inaccurate, and thus while it may impose some degree of
inconvenience over the status quo, it will also significantly improve
security.

While a domain may be registered for a number of years, there's no
guarantee as to the frequency of that information being updated, and
there's no guarantee that the domain holder's contact information won't
change during the operation, thus there is a great benefit for ensuring
it's revalidated.

To the general point that different aspects of different information
require different revalidation periods, I'm on record in the CA/Browser
Forum as agreeing with that sentiment, as my goal with 186 is
post-readoption of the 169/182 methods of validation, the lifetime of reuse
will be appropriately scoped to the method used to validate that
information.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to