New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit re-use of domain name verification to 398 days #206
Comments
I have some concerns about Mozilla enacting this policy without first attempting to change the BRs and EVGLs:
I realize that this was already voted down in SC22, but that was in the context of limiting certificate lifetime and the reuse of all validated information (including identity). I acknowledge that CAs may shoot down another ballot specific to domain validation reuse, but the potential benefits are worth the effort to take this issue to the CAB Forum first, and I am willing to lead that effort. |
Mozilla has routinely updated its policies to be more restrictive than the BRs.
Mozilla has ample experience in this, such as the requirement for a problem reporting e-mail address. Further, this is very simple to get forced into the scope of the audit, by requiring that the CA disclose in their CP/CPS compliance with this policy.
This is not entirely accurate. The EV Guidelines impose separate limits with respect to domain information, and sections such as the BRs regarding CAA have imposed specific time limited requirements. Similarly, the BRs themselves allow for differing reuses or validation data.
These ideas were debated and their flaws previously pointed out. It doesn’t seem like either of these represent new ideas that were not considered?
What are the potential benefits? Or was that what the above bullets were referring to? |
We both know that Mozilla has the ability and right to impose policies unilaterally. Before doing so, Mozilla has always considered if it would be better to work with the CAB Forum to make the change to their guidelines. This is such a case.
Who will enforce that the CA has added the disclosure to their policy documents? Adding the requirement to the BRs will result in BR audit criteria specific to this requirement. It's easier for an auditor to overlook or accept a creative interpretation of a requirement the CA places on itself.
True. This reinforces my point that these changes will be clearer if made in those guidelines.
As noted, these are examples. I'm finding little evidence in mailing list archives of previous debates on these ideas. There was some discussion around ballot 186, but that was 3 years ago and the focus then, as with SC22, was on the companion ballot 185 that limited cert lifetime. Your reply appears to have deleted the point I was making:
I'm having difficulty interpreting this as an honest question rather than a snide remark. I support the goal of this proposal and am not attempting to delay it. |
It was very much an honest question, because it seems there’s only one
clearly articulated benefit from your original message: having it as
auditable criteria. You seem to have acknowledged that longer domain reuse
isn’t necessarily a benefit, or at least, that it’s subjective and there’s
room for disagreement and debate. Similarly, a statement that there is no
precedent isn’t a statement about benefits, it seems more of a simple
concern that can be addressed by showing there is existing precedent.
If this is a cost/benefit trade-off, my reply was trying to highlight that
the only clear benefit (auditability) can be achieved already, and that
there exists precedent to address the concern.
Given that this has been discussed in the Forum for over five years now, it
seems that the only reason to believe the discussion may be more productive
now is because root programs such as Apple have taken action to state their
expectations directly, independently, and as a result of considering all
the discussion to date. If that’s the case, then it seems there’s just as
likely substantial benefit to Mozilla stating expectations directly as
well, via policy, and considering the five years of discussion. This can
happen before/without any changes to the BRs, and better help guide what
the expectations for the BRs are. If the BRs can help improve the
auditability, that’s great, and definitely a benefit. But that benefit
doesn’t require blocking policy changes on more discussion.
Concretely: What’s the harm or cost you’d be worried about if the policy
was adopted first, and the BRs then updated to incorporate those
expectations? It seems like the same benefits would be met, but the
discussion would also be facilitated and improved by having a clearer
expectation of the objective. If the discussions in the Forum fail, the
policy still exists on its own, providing clarity for CAs and security for
Mozilla users. If the discussion produces useful changes, similarly, policy
can be updated to incorporate that feedback, same as every other policy
improvement.
That seems a significantly better outcome than if discussions lasted until,
say, Feb 2021, or even Sept 2020, and didn’t produce a useful result that
achieved the goal. In that case, it may be difficult to impossible to
achieve an April 2021 date, and it may create more animosity towards
Mozilla if continued anyways.
The current path guarantees that some benefits will be met. The path you’re
proposing seems to gamble those long-term benefits, and in a timely way,
for the chance at improved auditability and some (subjective) additions.
It’s not clear that’s a good tradeoff, so if there are other benefits, it’s
worth making sure they’re captured, even the subjective ones.
|
Mozilla must have invested heavily in CA's. This will increase businesses costs. Alternatives need to investigated and promoted over Google, Mozilla and Apple. |
Section 4.2.1 of the Baseline Requirements (v.1.7.1) still allows data re-use for 825 days - |
I disagree with the current BRs in this regards, because I think the domain ownership should be re-verified every time a TLS certificate is issued. So I'd like to move the bar closer, by limiting domain verification re-use to match the maximum TLS certificate validity period. It would be great if the BRs get updated in this regards, but that is not a blocker in regards to updating Mozilla's Root Store Policy. It is OK to add something to Mozilla's Root Store Policy with a future effective date. |
Subsection 5 of Section 2.1 should be amended to say, "verify that all of the information that is included in SSL certificates remains current and correct at time intervals of 395 days or less." |
The point of this issue is that prior to TLS certificate issuance, I think that the CA must confirm that the certificate requestor owns/controls each dNSName and iPAddress to be listed in the certificate's subjectAltName. (even for certificate renewals)
|
Can we still use subsection 5 of Section 2.1 as the vehicle for this change, or does it require a whole new subsection? In other words, could the subsection amendment say something like, "verify that domain validation is performed in accordance with BR section 3.2.2.4 at time intervals of 395 days or less"? The downside of that approach is that it would lose the concept of verifying all information every 825 days. However, currently section 4.2.1 of the BRs already says, "The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, or may reuse previous validations themselves, provided that the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate." |
This is to address Issue mozilla#206 - mozilla#206
Maybe we could add a sub-bullet item?
|
Is it possible to state the new requirement as: 5.1 Additionally, domain validations for dNSName and IPAddresses in the certificate's subjectAltName done after may only be used for 398 days. This avoids the cliff of a massive number of domains all needing to be validated on the effective date (or just prior). |
This proposed modification is to address Issue mozilla#206.
Changed sentence to "for server certificates issued on or after July 1, 2021, verify each dNSName or IPAddress in a SAN or commonName at an interval of 398 days or less;"
For Issue mozilla#206, changed requirement from July 1 to October 1, 2021 (based on discussions at the CABF)
Edited based on comment from Doug Beattie - https://groups.google.com/g/mozilla.dev.security.policy/c/7TeSlHFIk5U/m/hl0baS1WCQAJ
When we update Mozilla's Root Store Policy to limit TLS certificate validity periods to 398 days, we should also update the policy to limit re-use of domain name verification results.
I started discussion about this in m.d.s.p, and consensus appears to support the idea, with the two primary recommendations:
The text was updated successfully, but these errors were encountered: