I have some concerns about Mozilla enacting this policy without first attempting to change the BRs and EVGLs:

• Mozilla has no way to enforce this policy. While audits aren't perfect, at least they will (eventually) cover this requirement if in the BRs
• There has never been a data reuse period specific to domain validation. This creates the potential for some ambiguity that can be best addressed by making the changes in the actual guidelines. E.g. EVGL 11.14.2
• There are some interesting ideas around allowing longer domain validation reuse periods under certain conditions such as having registered the domain name for a long time, or simply using whois to check for any registration updates prior to reusing the information. (NOTE: these are just ideas; there's no need to debate them here) Many CAs find it less intimidating to participate in CAB Forum discussions and a debate there could result in improvements to the reuse policy.

I realize that this was already voted down in SC22, but that was in the context of limiting certificate lifetime and the reuse of all validated information (including identity). I acknowledge that CAs may shoot down another ballot specific to domain validation reuse, but the potential benefits are worth the effort to take this issue to the CAB Forum first, and I am willing to lead that effort.

I have some concerns about Mozilla enacting this policy without first attempting to change the BRs and EVGLs:

Mozilla has routinely updated its policies to be more restrictive than the BRs.

• Mozilla has no way to enforce this policy.

Mozilla has ample experience in this, such as the requirement for a problem reporting e-mail address. Further, this is very simple to get forced into the scope of the audit, by requiring that the CA disclose in their CP/CPS compliance with this policy.

• There has never been a data reuse period specific to domain validation.

This is not entirely accurate. The EV Guidelines impose separate limits with respect to domain information, and sections such as the BRs regarding CAA have imposed specific time limited requirements. Similarly, the BRs themselves allow for differing reuses or validation data.

• There are some interesting ideas around allowing longer domain validation reuse periods under certain conditions such as having registered the domain name for a long time, or simply using whois to check for any registration updates prior to reusing the information. (NOTE: these are just ideas; there's no need to debate them here)

These ideas were debated and their flaws previously pointed out. It doesn’t seem like either of these represent new ideas that were not considered?

I acknowledge that CAs may shoot down another ballot specific to domain validation reuse, but the potential benefits are worth the effort to take this issue to the CAB Forum first, and I am willing to lead that effort.

What are the potential benefits? Or was that what the above bullets were referring to?

I have some concerns about Mozilla enacting this policy without first attempting to change the BRs and EVGLs:

Mozilla has routinely updated its policies to be more restrictive than the BRs.

We both know that Mozilla has the ability and right to impose policies unilaterally. Before doing so, Mozilla has always considered if it would be better to work with the CAB Forum to make the change to their guidelines. This is such a case.

• Mozilla has no way to enforce this policy.

Mozilla has ample experience in this, such as the requirement for a problem reporting e-mail address. Further, this is very simple to get forced into the scope of the audit, by requiring that the CA disclose in their CP/CPS compliance with this policy.

Who will enforce that the CA has added the disclosure to their policy documents?

Adding the requirement to the BRs will result in BR audit criteria specific to this requirement. It's easier for an auditor to overlook or accept a creative interpretation of a requirement the CA places on itself.

• There has never been a data reuse period specific to domain validation.

This is not entirely accurate. The EV Guidelines impose separate limits with respect to domain information, and sections such as the BRs regarding CAA have imposed specific time limited requirements. Similarly, the BRs themselves allow for differing reuses or validation data.

True. This reinforces my point that these changes will be clearer if made in those guidelines.

• There are some interesting ideas around allowing longer domain validation reuse periods under certain conditions such as having registered the domain name for a long time, or simply using whois to check for any registration updates prior to reusing the information. (NOTE: these are just ideas; there's no need to debate them here)

These ideas were debated and their flaws previously pointed out. It doesn’t seem like either of these represent new ideas that were not considered?

As noted, these are examples.

I'm finding little evidence in mailing list archives of previous debates on these ideas. There was some discussion around ballot 186, but that was 3 years ago and the focus then, as with SC22, was on the companion ballot 185 that limited cert lifetime.

Your reply appears to have deleted the point I was making:

Many CAs find it less intimidating to participate in CAB Forum discussions and a debate there could result in improvements to the reuse policy.

I acknowledge that CAs may shoot down another ballot specific to domain validation reuse, but the potential benefits are worth the effort to take this issue to the CAB Forum first, and I am willing to lead that effort.

What are the potential benefits? Or was that what the above bullets were referring to?

I'm having difficulty interpreting this as an honest question rather than a snide remark. I support the goal of this proposal and am not attempting to delay it.

Mozilla must have invested heavily in CA's. This will increase businesses costs. Alternatives need to investigated and promoted over Google, Mozilla and Apple.

Section 4.2.1 of the Baseline Requirements (v.1.7.1) still allows data re-use for 825 days -
"The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, or may reuse previous validations themselves, provided that the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate."

Section 4.2.1 of the Baseline Requirements (v.1.7.1) still allows data re-use for 825 days -
"The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, or may reuse previous validations themselves, provided that the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate."

I disagree with the current BRs in this regards, because I think the domain ownership should be re-verified every time a TLS certificate is issued. So I'd like to move the bar closer, by limiting domain verification re-use to match the maximum TLS certificate validity period.

It would be great if the BRs get updated in this regards, but that is not a blocker in regards to updating Mozilla's Root Store Policy.

It is OK to add something to Mozilla's Root Store Policy with a future effective date.

Subsection 5 of Section 2.1 should be amended to say, "verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 395 days or less."

The point of this issue is that prior to TLS certificate issuance, I think that the CA must confirm that the certificate requestor owns/controls each dNSName and iPAddress to be listed in the certificate's subjectAltName. (even for certificate renewals)
So I think we should:

1. Be specific about what needs to be verified -- not necessarily "all of the information that is included in SSL certificate"
2. Align with the BRs: 398 days.

Can we still use subsection 5 of Section 2.1 as the vehicle for this change, or does it require a whole new subsection? In other words, could the subsection amendment say something like, "verify that domain validation is performed in accordance with BR section 3.2.2.4 at time intervals of 395 days or less"? The downside of that approach is that it would lose the concept of verifying all information every 825 days. However, currently section 4.2.1 of the BRs already says, "The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, or may reuse previous validations themselves, provided that the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate."

Maybe we could add a sub-bullet item?
For example:

5. verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 825 days or less;
   5.1 additionally, verify ownership/control of each dNSName and iPAddress in the certificate's subjectAltName at time intervals of 398 days or less;

Is it possible to state the new requirement as:

5.1 Additionally, domain validations for dNSName and IPAddresses in the certificate's subjectAltName done after may only be used for 398 days.

This avoids the cliff of a massive number of domains all needing to be validated on the effective date (or just prior).