Thanks Ben.
What’s the purpose of this statement: 5. verify that all of the information that is included in server certificates remains current and correct at intervals of 825 days or less; The BRs limit data reuse to 825 days since March 2018 so I don’t think this adds anything. If it does mean something more than that, can you update to make it more clear? From: Ben Wilson <bwil...@mozilla.com> Sent: Thursday, March 18, 2021 2:53 PM To: Doug Beattie <doug.beat...@globalsign.com> Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days I've edited the proposed subsection 5.1 and have left section 5 in for now. See https://github.com/BenWilson-Mozilla/pkipolicy/commit/d37d7a3865035c958c1cb139b949107665fee232 On Tue, Mar 16, 2021 at 9:10 AM Ben Wilson <bwil...@mozilla.com <mailto:bwil...@mozilla.com> > wrote: That works, too. Thoughts? On Tue, Mar 16, 2021 at 5:21 AM Doug Beattie <doug.beat...@globalsign.com <mailto:doug.beat...@globalsign.com> > wrote: Hi Ben, Regarding the redlined spec: https://github.com/mozilla/pkipolicy/compare/master...BenWilson-Mozilla:2.7.1?short_path=73f95f7#diff-73f95f7d2475645ef6fc93f65ddd9679d66efa9834e4ce415a2bf79a16a7cdb6 Is this a meaningful statement given max validity is 398 days now? 5. verify that all of the information that is included in server certificates remains current and correct at intervals of 825 days or less; I think we can remove that and them move 5.1 to item 5 I find the words for this requirement 5.1 unclear. " 5.1. for server certificates issued on or after October 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;" Can we say: "5.1. for server certificates issued on or after October 1, 2021, each dNSName or IPAddress in a SAN or commonName MUST have been validated <in accordance with the CABF Baseline Requirements?> within the prior 398 days. -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org <mailto:dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ben Wilson via dev-security-policy Sent: Monday, March 8, 2021 6:38 PM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Policy 2.7.1: MRSP Issue #206: Limit re-use of domain name verification to 398 days All, Here is the currently proposed wording for subsection 5.1 of MRSP section 2.1: " 5.1. for server certificates issued on or after October 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;" Ben On Fri, Feb 26, 2021 at 9:48 AM Ryan Sleevi <r...@sleevi.com <mailto:r...@sleevi.com> > wrote: > > > On Thu, Feb 25, 2021 at 7:55 PM Clint Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org > <mailto:dev-security-policy@lists.mozilla.org> > wrote: > >> I think it makes sense to separate out the date for domain validation >> expiration from the issuance of server certificates with previously >> validated domain names, but agree with Ben that the timeline doesn’t >> seem to need to be prolonged. What about something like this: >> >> 1. Domain name or IP address verifications performed on or after July >> 1, >> 2021 may be reused for a maximum of 398 days. >> 2. Server certificates issued on or after September 1, 2021 must have >> completed domain name or IP address verification within the preceding >> 398 days. >> >> This effectively stretches the “cliff” out across ~6 months (now >> through the end of August), which seems reasonable. >> > > Yeah, that does sound reasonable. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy