[Servercert-wg] Ballot SC42: 398-day Reuse Period
Ben Wilson
bwilson at mozilla.com
Thu Apr 8 17:03:40 UTC 2021
Hi Ryan,
I have updated the ballot using your first suggested sentence, "Effective
2021-10-01, for validation of Domain Names and IP Addresses according to
Section 3.2.2.4 and 3.2.2.5, any reused data, document, or completed
validation MUST be obtained no more than 398 days prior to issuing the
Certificate."
It would be good to fix EVG section 11.14.1(6), but I'd like to get the
ballot passed as soon as possible. I'll resubmit the revised version
shortly for discussion.
Here is the immutable link:
https://github.com/cabforum/servercert/compare/9672b03bec91ad9a80f826e928e47f5c1f82964b...7cd105daf3baba01579c167d9fc10afacd49c503
On Thu, Apr 1, 2021 at 2:10 PM Ryan Sleevi <sleevi at google.com> wrote:
> Ballot bookkeeping side: Hopefully once we get SC41 merged, we'll be able
> to open this as a pull request against the CA/B Forum repo and comment
> inline. I'll try to find out why
> https://github.com/cabforum/servercert/compare/SC41...BenWilson-Mozilla:398-day-FQDN-validation
> is suggesting it's a dirty merge - and try to make sure this doesn't impact
> the ballot.
>
> In Section 4.2.1, you have the following language:
> "Effective 2021-10-01, the CA SHALL verify Domain Names and IP Addresses
> no more than 398 days prior to Certificate issuance."
>
> This might be read ambiguously, since the previous paragraph seems to
> suggest that reuse is, in fact, accepted as "verifying". While that's
> plainly not the intent, what do you think about:
>
> "Effective 2021-10-01, for validation of Domain Names and IP Addresses
> according to Section 3.2.2.4 and 3.2.2.5, any reused data, document, or
> completed validation MUST be obtained no more than 398 days prior to
> issuing the Certificate."
>
> Feels a little clunky, but perhaps fits in better. We could try rephrasing
> the whole paragraph, but that seems a bit of a heavier task for this
> ballot. But framing it in terms of reuse, since that's what this paragraph
> talks about, seems to work better.
>
> There's also the unfortunate issue of a CA interpreting "398 days and an
> hour" to be "398 days" rather than "399 days". I'm not sure if we want to
> try to tackle that here, but just acknowledging this used to be an issue in
> the past that caused CA incidents. We could slap an "exactly" before 398
> days, but that also feels like it might be superfluous.
>
> Alternatively, a different approach would be to change the sentence to:
> "Effective 2021-10-01, the maximum time permitted for reuse of data,
> documents, and/or prior validations for demonstrations of domain control
> and IP addresses, as specified in [Section
> 3.2.2.4](#3224-validation-of-domain-authorization-or-control) and [Section
> 3.2.2.5](#3225-authentication-for-an-ip-address), SHALL be 398 days". This
> would then naturally flow with the next paragraph's restriction.
>
> The changes to the EVG look fine, but note that they'll practically have
> no effect, because of the preceding paragraph ("Except for reissuance"
> creating the validation-carveout). I'm not sure if you want to tackle
> 11.14.1 (6). I think these are important to tackle, which is why I'd
> previously tried to fix these up so that the EVGs don't appear to
> override/ignore the BRs. However, it is a bit trickier. As it reads now, it
> may be seen as having loopholes, so I'm curious if you're open for more
> discussion and proposals to try to close those.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210408/da9c464f/attachment-0001.html>
More information about the Servercert-wg
mailing list