Yeah - I've wanted to do this for a long time. If the domain is only good for 30 days, why would we issue even a 1-year cert? If it's good for 13 months, why not tie the cert validity to that? I guess because they could have transferred the domain (which just means you need additional caps)? It's odd not to have the domain registration as the maximum cap on the range since that's when you know the domain is most at risk for transfer.
Jeremy -----Original Message----- From: dev-security-policy <[email protected]> On Behalf Of Tim Hollebeek via dev-security-policy Sent: Tuesday, March 17, 2020 10:00 AM To: Kathleen Wilson <[email protected]>; Mozilla <[email protected]> Subject: RE: About upcoming limits on trusted certificates > On 3/11/20 3:51 PM, Paul Walsh wrote: > > Can you provide some insight to why you think a shorter frequency in > domain validation would be beneficial? > > To start with, it is common for a domain name to be purchased for one year. > A certificate owner that was able to prove ownership/control of the > domain name last year might not have renewed the domain name. So why > should they be able to get a renewal cert without having that re-checked? This has been a favorite point of Jeremy's for as long as I've been participating in the CA/Browser Forum and on this list. Tying certificate lifetimes more closely to the lifetime and validity of the domains they are protecting would actually make a lot of sense, and we'd support any efforts to do so. -Tim _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
