Re: About upcoming limits on trusted certificates

Wed, 11 Mar 2020 15:40:14 -0700 

All,
First, I would like to say that my preference would have been for this type of change (limit SSL cert validity period to 398 days) to be agreed to in the CA/Browser Forum and added to the BRs. However, the ball is already rolling, and discussion here in m.d.s.p is supportive of updating Mozilla's Root Store Policy to incorporate the shorter validity period. So... 

What do you all think about also limiting the re-use of domain validation?


BR section 3.2.2.4 currently says: "Completed validations of Applicant 
authority may be valid for the issuance of multiple Certificates over time."
And BR section 4.2.1 currently says: "The CA MAY use the documents and 
data provided in Section 3.2 to verify certificate information, or may 
reuse previous validations themselves, provided that the CA obtained the 
data or document from a source specified under Section 3.2 or completed 
the validation itself no more than 825 days prior to issuing the 
Certificate."



In line with that, section 2.1 of Mozilla's Root Store Policy currently 
says:

"CAs whose certificates are included in Mozilla's root program MUST: ...

"5. verify that all of the information that is included in SSL 
certificates remains current and correct at time intervals of 825 days 
or less;"



When we update Mozilla's Root Store Policy, should we shorten the domain 
validation frequency to be in line with the shortened certificate 
validity period? i.e. change item 5 in section 2.1 of Mozilla's Root 
Store Policy to:
"5. limit the validity period and re-use of domain validation for SSL 
certificates to 398 days or less if the certificate is issued on or 
after September 1, 2020;"



I realize that in order to enforce shorter frequency in domain 
validation we will need to get this change into the BRs and into the 
audit criteria. But CAs are expected to follow Mozilla's Root Store 
Policy regardless of enforcement mechanisms, and having this in our 
policy would make Mozilla's intentions clear.



As always, I will greatly appreciate your thoughtful and constructive 
input on this.


Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to