The purpose of this email is to begin public discussion on a modification
to subsection 5 in section 2.1 of the Mozilla Root Store Policy.

Issue #206 <https://github.com/mozilla/pkipolicy/issues/206> in GitHub
discusses the need to bring the reuse period for domain validation in line
with the certificate issuance validity cycle of 398 days (as set forth in
section 6.3.2 of the Baseline Requirements). This proposal is not to say
that Mozilla is not also contemplating a ballot in the CA/Browser Forum
that would introduce similar language to the Baseline Requirements. Any
potential CABF endorsers of such a ballot should reach out to me off-list.

Currently, subsection 5 of section 2.1 of the Mozilla Root Store Policy
(MRSP) states that a CA must “verify that all of the information that is
included in SSL certificates remains current and correct at time intervals
of 825 days or less;”

It is proposed that a subsection 5.1 be added to this subsection to require
that, for subjectAltName verifications of dNSNames or IPAddresses performed
on or after July 1, 2021, CAs verify the dNSName or IPAddress at intervals
of 398 days or less.
Proposed language may be found in the following commit:

https://github.com/BenWilson-Mozilla/pkipolicy/commit/b7b53eea3a0af1503f3c99632ba22efc9e86bee2
Restated here, the proposed language for subsection 5.1 of section 2.1 is:

"for subjectAltName verifications of dNSNames and IPAddresses performed on
or after July 1, 2021, verify that each dNSName or IPAddress is current and
correct at intervals of 398 days or less;"

I look forward to your comments, suggestions and discussions.

Thanks,

Ben
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to