[cabfpub] Deprecating support for long-lived certificates

Steve Roylance steve.roylance at globalsign.com
Wed Sep 4 02:07:07 MST 2013


Hi all,

I agree with Rob in that there's still confusion when we look back so can we
look forward?  

The reason I say this is that we've had similar discussions on effective
dates within the Ballot 107 thread around auditors understanding of
effectiveness dates.  As I stated in that thread, my understanding on
effective dates has always been the same in that the effective date is on a
per CA basis and 100% governed by the date the CA places a statement into
their CPS (or modifies it to take account of changes needed for specific
rules such as not supporting MITM etc) which is then later audited by their
relevant ETSI or WebTrust auditor potentially 12 months afterwards.   In the
case of the Baseline Requirements there is a requirement for a specific
statement and specific OIDs but for most root programs there's no
requirement to add any compliancy statement.  Critical dates for compliancy
by root programs are mandated by the root programs themselves in sideline
agreements/discussions.

The 1st July 2012 effective date was not "mandatory" across the industry and
as such it may not have even been on the radar of all CAs (I'm thinking
smaller here) in all jurisdictions.   It would not therefore be fair to
suggest that it was and backdate decisions that may well negatively impact
the industry at large when web sites start failing.  The idea behind the
Baseline Requirements was a carrot to incentivise, through market
competition, a way to improve the industry as a whole and not as a stick.
Each root program owner has their own stick(s) already.  I don't believe
that there's a list of Baseline Requirements compliant CAs anywhere (See
http://www.mozilla.org/projects/security/certs/included/index.html and
you'll notice many CAs are missing audit reports for BR compliance).

In the end we are (were ;-) ) a consensus led group which leads me to ask
myself what date does make sense for all rules to be applicable?  The 31st
December 2013 seems a great point in time due to the 1024/2048 bit RSA
requirements in many peoples minds so is it possible to suggest to all root
programs that they mandate a simple e-mail out to participants mandating
full BR compliance by this date?  As an example Mozilla would be able to
complete their spreadsheet by then and Google would be able to turn on
validity checking for anything issued from 1st Jan 2014 rather than 18
months earlier.   This allows CAs to ensure that any re-issuance logic
around the 60/39 month step-down in April 2015 will be effective and that
subscribers can be warned of this logic change up front in a subscriber
agreement.  

Maybe it's a discussion for the CABForum F2F in a few weeks or on the call
tomorrow night and I hope my points make sense as I really do believe
looking forward is best and not backwards.

Steve


From:  Eddy Nigg <eddy_nigg at startcom.org>
Organization:  StartCom Ltd.
Date:  Tuesday, 3 September 2013 23:58
To:  CABFPub <public at cabforum.org>
Subject:  Re: [cabfpub] Deprecating support for long-lived certificates

    
 
 On 09/02/2013 01:48 PM, From Rob Stradling:
>  
> The BRs "Effective Date" was July 1st 2012, but I've never been sure
> what exactly came into effect on that date, given the "not
> mandatory...until...adopted and enforced" sentence I quoted previously!
>  
 
 So what did you do in your case? Or what did you do to clarify it? I'm sure
you must have had some thoughts and decisions...
 
 I'd say that the effective date is as per BR - it was already clear before
that software vendors will adopt it, in particular Mozilla which was heavily
involved during the discussions.
 
 
 
   
 Regards   
    
 Signer:  Eddy Nigg, COO/CTO
   StartCom Ltd. <http://www.startcom.org>
 XMPP:  startcom at startcom.org <xmpp:startcom at startcom.org>
 Blog:  Join the Revolution! <http://blog.startcom.org>
 Twitter:  Follow Me <http://twitter.com/eddy_nigg>
      
 
 
_______________________________________________ Public mailing list
Public at cabforum.org https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130904/83bb740a/attachment-0001.html 


More information about the Public mailing list