[cabfpub] Deprecating support for long-lived certificates

Rob Stradling rob.stradling at comodo.com
Wed Sep 4 07:21:59 MST 2013


On 03/09/13 23:58, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 09/02/2013 01:48 PM, From Rob Stradling:
>> The BRs "Effective Date" was July 1st 2012, but I've never been sure
>> what exactly came into effect on that date, given the "not
>> mandatory...until...adopted and enforced" sentence I quoted previously!
>
> So what did you do in your case?

We worked towards BRs-compliance as quickly as we could, anticipating 
that the BRs would eventually be "adopted and enforced" by at least one 
of the browsers.

> Or what did you do to clarify it? I'm sure you must have had some
> thoughts and decisions...

Well, I tried to apply logic.  That left me concluding that the only way 
to square "Effective Date" with "not mandatory...until...adopted and 
enforced" was to interpret "Effective Date" as the date on which using 
(for some definition of "using") the BRs became optional (instead of 
forbidden).

> I'd say that the effective date is as per BR - it was already clear
> before that software vendors will adopt it, in particular Mozilla which
> was heavily involved during the discussions.

TBH, my recollection is that it wasn't really that clear back in July 
2012.  I think we all anticipated that the browsers would eventually 
adopt (future tense!) and enforce the BRs, but it was only when Mozilla 
updated their CA Policy in early 2013 that the BRs were actually 
"adopted and enforced" (past tense!) by anyone.

Mozilla asked CAs about BRs-compliancy back in January 2013 (some 6 
months after the "Effective Date").  It's clear from the responses [1] 
that some CAs were still working towards compliance.

We share Steve Roylance's opinion that, unless they are required to
address flagrant violations of expected behaviour, policy changes should
be forward looking.
For our part we would be content to see the policy changes applied from
the date they are announced, but making them retrospective back to 1st
July 2012 when the evidence shows that that date was not universally
complied with seems to have an uncertain impact.


[1] 
https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHdISmM3c05tb1dMQjlJclJqS21QNmc&output=html

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list