[cabf_validation] Draft Ballot SCXX: Improve Certificate Lifetimes

Tim Shirley TShirley at securetrust.com
Thu Aug 1 11:23:06 MST 2019


One important distinction between CAA and domain validations though is that CAA assumes permission to issue unless otherwise specified, whereas domain validation requires a per-issuance unique code to be placed in DNS per issuance (assuming a DNS-based DV method is used.)  So there is no additional burden placed on the site operator by not allowing reuse of CAA checks.


From: Validation <validation-bounces at cabforum.org> on behalf of "validation at cabforum.org" <validation at cabforum.org>
Reply-To: "sleevi at google.com" <sleevi at google.com>, "validation at cabforum.org" <validation at cabforum.org>
Date: Thursday, August 1, 2019 at 12:34 PM
To: "doug.beattie at globalsign.com" <doug.beattie at globalsign.com>, "validation at cabforum.org" <validation at cabforum.org>
Subject: Re: [cabf_validation] Draft Ballot SCXX: Improve Certificate Lifetimes


This ballot proposes changes to several components and not just the maximum validity period.  I’d like to understand the reasons for each, perhaps in the above proposed blog.

  *   Maximum validity period: Yes, this is the driving reason for the ballot, I understand that.
  *   Maximum re-use of domain validation data: Is limiting this to 13 months necessary?  If this is the primary reason for the ballot, then is the reduction in certificate validity necessary?  How do these 2 changes relate to each other?  Do these have to match, and if so, why?
I actually think we need to get this particular bit down as aggressively as possible. From a security point of view, the ideal end state is zero reuse of domain validation data. We already have that for CAA, and it has not caused significant harm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190801/b33492e8/attachment-0001.html>


More information about the Validation mailing list