Hi Kathleen, Can you provide some insight to why you think a shorter frequency in domain validation would be beneficial? At the very least it deserves a new thread as the potential impact could be significant.
And out of curiosity, why not raise your question inside the CA/Browser forum if you believe the original change being discussed should have been brought up there? I believe the potential outcome would have a separate impact on CAs and website owners. In particular, it would cost website owners in more time, resource and money. For this reason, I’m assuming you’re not asking the question to simply line up with another change. Thanks, Paul > On Mar 11, 2020, at 3:39 PM, Kathleen Wilson via dev-security-policy > <[email protected]> wrote: > > All, > > First, I would like to say that my preference would have been for this type > of change (limit SSL cert validity period to 398 days) to be agreed to in the > CA/Browser Forum and added to the BRs. However, the ball is already rolling, > and discussion here in m.d.s.p is supportive of updating Mozilla's Root Store > Policy to incorporate the shorter validity period. So... > > What do you all think about also limiting the re-use of domain validation? > > BR section 3.2.2.4 currently says: "Completed validations of Applicant > authority may be valid for the issuance of multiple Certificates over time." > And BR section 4.2.1 currently says: "The CA MAY use the documents and data > provided in Section 3.2 to verify certificate information, or may reuse > previous validations themselves, provided that the CA obtained the data or > document from a source specified under Section 3.2 or completed the > validation itself no more than 825 days prior to issuing the Certificate." > > In line with that, section 2.1 of Mozilla's Root Store Policy currently says: > "CAs whose certificates are included in Mozilla's root program MUST: ... > "5. verify that all of the information that is included in SSL certificates > remains current and correct at time intervals of 825 days or less;" > > When we update Mozilla's Root Store Policy, should we shorten the domain > validation frequency to be in line with the shortened certificate validity > period? i.e. change item 5 in section 2.1 of Mozilla's Root Store Policy to: > "5. limit the validity period and re-use of domain validation for SSL > certificates to 398 days or less if the certificate is issued on or after > September 1, 2020;" > > I realize that in order to enforce shorter frequency in domain validation we > will need to get this change into the BRs and into the audit criteria. But > CAs are expected to follow Mozilla's Root Store Policy regardless of > enforcement mechanisms, and having this in our policy would make Mozilla's > intentions clear. > > As always, I will greatly appreciate your thoughtful and constructive input > on this. > > Thanks, > Kathleen > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
