I think this statement is not accurate: "As a result, CAs don’t pursue automation, or when they support it, neither promote nor require it." I know very few CAs who want to spend extra resources on manual validations and just as few who don't support some level of automation. The manual methods are generally used because so many companies haven't automated this process or refuse to. The companies who contribute to these threads tend to be far more technical than most other companies (or the majority of cert requesters). The assumption that each company has the resources to set up automation ignores this. The opposition to shorter lifecycles and validation periods stems from knowing these work flows and the painful exercise of changing them.
The automated methods weren't even codified until ballot 169 which was late 2016. We're at less than 4 years for automation being a real option. Although I don't have empirical data for other CAs, the LE adoption rate (a billion certs since indicates a fairly rapid adoption of automated methods compared to other changes in the industry. Jeremy -----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Ryan Sleevi via dev-security-policy Sent: Thursday, March 12, 2020 7:30 AM To: Julien Cristau <[email protected]> Cc: Mozilla <[email protected]>; Kathleen Wilson <[email protected]> Subject: Re: About upcoming limits on trusted certificates The Baseline Requirements allow a number of methods that aren’t easily automated, such as validation via email. As a result, CAs don’t pursue automation, or when they support it, neither promote nor require it. This leads CAs to be opposed to efforts to shorten the reuse time, as they have historically treated it as the same complexity as identity validation, even when it doesn’t need to be. There’s nothing intrinsically preventing it, although the practical effect is it would encourage technically automatable methods, as opposed to manual methods. On Thu, Mar 12, 2020 at 4:45 AM Julien Cristau via dev-security-policy < [email protected]> wrote: > Hi Kathleen, all, > > Is there a reason domain validation information needs to be reused for > more than, say, 30 days? For the manual parts of identity validation > I understand you don't want to repeat the process too often, but > domain validation can be entirely automated so it doesn't seem like > long reuse periods are warranted. (It's entirely possible I'm missing > something and there are significant hurdles to overcome for CAs and/or > applicants in confirming domain ownership more than once a year.) > > Thanks, > Julien > > On Wed, Mar 11, 2020 at 11:39 PM Kathleen Wilson via > dev-security-policy < [email protected]> wrote: > > > All, > > > > First, I would like to say that my preference would have been for > > this type of change (limit SSL cert validity period to 398 days) to > > be agreed to in the CA/Browser Forum and added to the BRs. However, > > the ball is already rolling, and discussion here in m.d.s.p is > > supportive of updating Mozilla's Root Store Policy to incorporate > > the shorter validity period. So... > > > > What do you all think about also limiting the re-use of domain > validation? > > > > BR section 3.2.2.4 currently says: "Completed validations of > > Applicant authority may be valid for the issuance of multiple > > Certificates over time." > > And BR section 4.2.1 currently says: "The CA MAY use the documents > > and data provided in Section 3.2 to verify certificate information, > > or may reuse previous validations themselves, provided that the CA > > obtained the data or document from a source specified under Section > > 3.2 or completed the validation itself no more than 825 days prior > > to issuing the Certificate." > > > > In line with that, section 2.1 of Mozilla's Root Store Policy > > currently > > says: > > "CAs whose certificates are included in Mozilla's root program MUST: ... > > "5. verify that all of the information that is included in SSL > > certificates remains current and correct at time intervals of 825 > > days or less;" > > > > When we update Mozilla's Root Store Policy, should we shorten the > > domain validation frequency to be in line with the shortened > > certificate validity period? i.e. change item 5 in section 2.1 of > > Mozilla's Root Store Policy to: > > "5. limit the validity period and re-use of domain validation for > > SSL certificates to 398 days or less if the certificate is issued on > > or after September 1, 2020;" > > > > I realize that in order to enforce shorter frequency in domain > > validation we will need to get this change into the BRs and into the > > audit criteria. But CAs are expected to follow Mozilla's Root Store > > Policy regardless of enforcement mechanisms, and having this in our > > policy would make Mozilla's intentions clear. > > > > As always, I will greatly appreciate your thoughtful and > > constructive input on this. > > > > Thanks, > > Kathleen > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
