May 2020 CA Communication

SUB ITEM 3.2: Limit re-use of domain name and IP address verification to 398 days Mozilla would like to have the domain name or IP address re-verified each time a TLS certificate is issued. However, as a first step, given that a TLS certificate will be valid for a maximum of 398 days we would like to see the domain name or IP address verification also only valid for 398 days or less. We realize that this change has an impact on CA processes and documentation, so we would like your input as to the date by which you believe your CA can make this change.
SUB ITEM 3.2 DATE
SUB ITEM 3.2 COMMENTS

CA Owner Response Response Response
AC Camerfirma, S.A. Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Actalis Our CA re-uses domain name or IP address verification, but for periods less than 398 days. Our current maximum reuse period is described below. Our CA re-uses domain name or IP address verification for a maximum of 365 days.
Amazon Trust Services Other (please describe below) Our CA is able to implement change to 398 days or less validity by the date Mozilla specifies in their policy.
Asseco Data Systems S.A. (previously Unizeto Certum) Our CA re-uses domain name or IP address verification, but for periods less than 398 days. Our current maximum reuse period is described below. Our current maximum reuse of domain name and IP verification period is 120 days.
Atos Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31
Autoridad de Certificacion Firmaprofesional Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Buypass Other (please describe below) Buypass will be able to re-verify domain names more frequently according to Mozilla requirements. This is a major change that we would prefer to be discussed in CA/Browser forum and included in the Baseline Requirements.
China Financial Certification Authority (CFCA) Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Chunghwa Telecom Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) Other (please describe below) Although our CA still has the website bit enabled, we do not issue TLS Certificates since 1st-January-2020.The last one was issued in 27th-December-2019. Related bugs/information: https://bugzilla.mozilla.org/show_bug.cgi?id=1496616#c22 https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
Cybertrust Japan / JCSI Our CA re-uses domain name or IP address verification, but for periods less than 398 days. Our current maximum reuse period is described below.
D-TRUST Other (please describe below) From our daily practice we can report that our customers will certainly have a much higher effort with a domain check immediately before the certificate is issued and most likely will not have any understanding for this. The reason for this is that for OV and EV customers, domain validation is a manual process that involves corresponding interactions. A change to automated processes will certainly be possible for some customers, but not for all. The latter would have to deal with major delays in certificate issuance. Today our CA re-uses domain name, but for periods of 12 months. Regardless of this, we would like to suggest that this topic be discussed in the CA/B forum so that a common rule can be established.
Deutsche Telekom Security GmbH Other (please describe below) Our CA would be able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less. However, a recent customer query revealed that customers are strongly opposed to this proposal, especially customers who use numerous domains. The re-use of verification information is, and should be, regulated by the Baseline Requirements. Certificate validation policies are important enough to be defined in the BR instead of individual Root Programs.
Dhimyotis / Certigna Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
DigiCert Other (please describe below) DigiCert: Our CA is able to implement change to 398 days or less validity by the date Mozilla specifies in their policy. Apple SubCA:For OV TLS certificates, currently control/ownership is reverified at least once every 825-day period. If this change becomes effective, Apple will update our procedures, prior to the effective date, to limit re-use of domain name verification to less than 398 days. We do not include IP addresses in our TLS certificates. For EV TLS certificates, currently control/ownership is reverified every 13 months
Disig, a.s. Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 28
E-Tugra Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Entrust Other (please describe below) We suggest that the requirement to change the reuse period be discussed with the CA/Browser Forum. If there is a change, it should be in the Baseline Requirements. If there is a change to reuse requirements, it should only apply to data verified on or after the effective date of the change. This change and should not apply to data verified before the effective date of the change to avoid creating a verification cliff for the CAs and Subscribers. Note, if Mozilla requires that a domain name or IP address is re-verified each time a TLS certificate is issued, then this will reduce the effectivity of a number of verification methodologies that can be used and could impact many ecosystems which rely on TLS.
Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Our CA re-uses domain name or IP address verification, but for periods less than 398 days. Our current maximum reuse period is described below. We have a maximum re-use period of 100 days.
GlobalSign nv-sa Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2021 Jul 1 GlobalSign would like to see a detailed security analysis of this change which we can convey to our customers when the change is announced.
GoDaddy Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31
Google Trust Services LLC Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below.
Government of Hong Kong (SAR), Hongkong Post, Certizen Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31
Government of Taiwan, Government Root Certification Authority (GRCA) Other (please describe below) GRCA and its sub CAs do not issue any TLS certificates since 18-Seepteember 2019, and we will revoke all TLS certificates on 7/19/2020.
Government of The Netherlands, PKIoverheid (Logius) Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Nov 1
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
HARICA Other (please describe below) We would adjust the re-use period for domain name or IP address verification according to Mozilla Policy but would prefer this process to go through the CA/Browser Forum and its Baseline Requirements. During the discussion of ballot SC22 to reduce certificates lifetime, HARICA recommended re-validating domain names annually, but keeping the certificate validity to 825 days. If a certificate failed to re-validate after one year, the certificate would be automatically revoked. This would accomplish the goals of re-validation and lower the burden of operators to just re-validate the domain names/IP addresses instead of replacing certificates every year.
IdenTrust Services, LLC Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Internet Security Research Group Our CA re-uses domain name or IP address verification, but for periods less than 398 days. Our current maximum reuse period is described below. We have a maximum re-use period of 30 days.
Izenpe S.A. Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
Krajowa Izba Rozliczeniowa S.A. (KIR) Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Sep 1
Microsec Ltd. Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates. Microsec supports the limitation of the reuse period of all the verified data - not only the domain name or IP address - prior to the certificate issuance. The certificate issuance should always happen on the basis of fresh validation data. In our practice, the only exception is the re-key of a certificate when the "validity end" date of the new certificate is equal to the "validity end" date of the original certificate. We think that it can be problematic when a certificate is issued for 398 days based on a 398 days old data validation, but CA should be able to easily re-key certificates without making a whole new data validation process. Probably we should modify the meaning of the data verification validity time. It should limit the "valid to" time of the issued certificate instead of the "valid from" date. The 398 days data validation validity with this interpretation would request a new data validation yearly in case of the normal renewal process but it would make possible to solve quickly the re-key request if the customer loses its private key,
NETLOCK Kft. Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
OISTE Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31 The re-use of verification information is, and should be, regulated by the Baseline Requirements. Certificate validation policies are important enough to be defined in the BR instead of individual Root Programs.
QuoVadis Other (please describe below) QuoVadis is able to implement a change to 398-day maximum period for domain name or IP address verification for TLS certificates by the date Mozilla specifies in its policy.
SECOM Trust Systems CO., LTD. Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Sep 1
SK ID Solutions AS Other (please describe below) Please note that SK has terminated issuance of TLS Server Certificates as of September 1st 2017 and therefore we are unable to meet this requirement. The last TLS certificate will expire in September 2020.
SSL.com Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31
Sectigo Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31
SecureTrust Other (please describe below) SecureTrust does not issue TLS certificates containing iPAddress SANs, but only dNSNames. Reuse of domain validation evidence is currently defined by the Baseline Requirements, which is the result of robust discussion and consensus of best practices as defined by the members of the CA/B Forum. In furtherance of defining such best practices for the industry, we would like to see the discussion of tightening domain validation reuse periods to be brought to the CA/B Forum as opposed to being unilaterally included in a Root Program requirement.
Shanghai Electronic Certification Authority Co., Ltd. Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Sep 1
SwissSign AG Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Sep 30
Taiwan-CA Inc. (TWCA) Other (please describe below) We are able to shorten the re-use period for domain name or IP address verification according to Mozilla Policy requirement, but prefer the topic to be discussed in CA/B Forum and incorporated into Baseline Requirements first if there is a change.
Telia Company Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. 2020 Aug 31 In Telia we think that domain pre-validation is very useful method in some network circumstances. You shouldn't forbid that completely. We can manage with the changes but we think that also this change is an unnecessary burden to our community and also to domain administrators. Often there are long maintenance chains so that information of certificate renewal won't reach domain administrator easily or customers don't even know who maintains their domains. Automation like ACME would be a good solution but customers need more time to implement it, perhaps two more years.
TrustCor Systems Our CA re-uses domain name or IP address verification, but for periods less than 398 days. Our current maximum reuse period is described below. Domain validation proofs are retained (and are re-usable) for a maximum of 30 days. Any attempt to request a domain under that previously validated domain must be subject to a fresh validation. Regarding IP address verification: TrustCor does not issue certificates embedding IP addresses, so this clause does not apply.
Trustis Other (please describe below) End-entity certificate issuance under the current service has been discontinued.
Web.com Our CA is able to implement the changes to our processes and documentation to limit the re-use of domain name verification to 398 days or less by the date specified below. We can meet this date, but changes of this nature should be discussed in the CA/B Forum and updated in the Baseline Requirements, not in individual root store policies.
certSIGN Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.
eMudhra Technologies Limited Our CA does not re-use domain name or IP address verification. We already perform domain name or IP address verification before each TLS certificate can be issued, even for renewal certificates.