On 3/12/20 5:52 AM, Doug Beattie wrote:
Changing the domain validation re-user period is a substantial change from the Apple proposed max validity period change and will place an additional burden on certificate Applicants to update their domain validation more than twice as frequently.
Please elaborate about why re-verifying the domain name ownership is
difficult for the CA who is issuing the renewal TLS cert.
Or why the TLS certificate Applicant will face undue burden if they have
to prove domain name ownership when they renew their TLS cert to replace
the cert that was issued a year ago.
Or, is your concern about the date?
e.g. aligning the change with the date that Apple chose of September 1,
2020 for the one-year validity period?
I am not set on any particular date, so long as we are making forward
progress. So if the concern is about the date, please suggest
alternatives for when it would be reasonable to require CAs to re-verify
that the certificate Applicant still owns the domain name to be included
in their TLS cert to replace the cert that was issued a year ago.
Certificate validity and domain validation re-use periods don’t necessarily
need to be tied to the same value, so having certificate validity capped at 398
days and domain re-use set at 825 days isn’t contradictory.
BygoneSSL explains why domain ownership validation should be done more
frequently:
https://insecure.design/
""
This is the demo site for BygoneSSL. It outlines what can happen when a
SSL certificate can outlive one of its domains' ownerships into the next.
Why is this a problem?
Well, aside from the fact that the previous domain owner could
Man-in-the-Middle the new domain owner's SSL traffic for that domain, if
there are any domains that share alt-names with the domain, they can be
revoked, potentially causing a Denial-of-Service if they are still in use.
""
Can you also provide, in a blog or a publicly posted article, the reasons for
shortening the certificate validity? There are hundreds of comments and
suggestions in multiple mail lists, but there is a lack of a documented formal
security analysis of the recommended changes that we can point our customers to.
If folks think that it would be helpful, I (or someone at Mozilla) could
post in Mozilla's Security Blog to list some of the reasons for
shortening certificate validity periods and shortening the frequency of
re-validating domain name verification.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
