[cabfpub] Deprecating support for long-lived certificates

Ryan Hurst ryan.hurst at globalsign.com
Wed Sep 4 14:25:38 UTC 2013


I agree with Rob and Steve here.

In the last year and a half I have been involved this is a topic that has
been brought up at each and every CABFORUM meeting, what does it mean to
have an effective date?

I finally settled on my own internal understanding of what the goal of this
concept was after a listening and participating in a few of those
conversation, on in particular stands out was with Don who based on my
recollection describes the situation basically the same as Rob and Steve.

Ryan

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rob Stradling
Sent: Wednesday, September 04, 2013 7:22 AM
To: Eddy Nigg (StartCom Ltd.)
Cc: CABFPub
Subject: Re: [cabfpub] Deprecating support for long-lived certificates

On 03/09/13 23:58, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 09/02/2013 01:48 PM, From Rob Stradling:
>> The BRs "Effective Date" was July 1st 2012, but I've never been sure 
>> what exactly came into effect on that date, given the "not 
>> mandatory...until...adopted and enforced" sentence I quoted previously!
>
> So what did you do in your case?

We worked towards BRs-compliance as quickly as we could, anticipating that
the BRs would eventually be "adopted and enforced" by at least one of the
browsers.

> Or what did you do to clarify it? I'm sure you must have had some 
> thoughts and decisions...

Well, I tried to apply logic.  That left me concluding that the only way to
square "Effective Date" with "not mandatory...until...adopted and enforced"
was to interpret "Effective Date" as the date on which using (for some
definition of "using") the BRs became optional (instead of forbidden).

> I'd say that the effective date is as per BR - it was already clear 
> before that software vendors will adopt it, in particular Mozilla 
> which was heavily involved during the discussions.

TBH, my recollection is that it wasn't really that clear back in July 2012.
I think we all anticipated that the browsers would eventually adopt (future
tense!) and enforce the BRs, but it was only when Mozilla updated their CA
Policy in early 2013 that the BRs were actually "adopted and enforced" (past
tense!) by anyone.

Mozilla asked CAs about BRs-compliancy back in January 2013 (some 6 months
after the "Effective Date").  It's clear from the responses [1] that some
CAs were still working towards compliance.

We share Steve Roylance's opinion that, unless they are required to address
flagrant violations of expected behaviour, policy changes should be forward
looking.
For our part we would be content to see the policy changes applied from the
date they are announced, but making them retrospective back to 1st July 2012
when the evidence shows that that date was not universally complied with
seems to have an uncertain impact.


[1]
https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dHdISmM3c05tb1dMQjl
JclJqS21QNmc&output=html

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list