[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Scott Rea scott at scottrea.com
Fri Feb 10 09:25:46 MST 2017


Ryan,

I realize that in your world, you're the only thing that matters, but
there are a number of trust ecosystems that exist outside of WebPKI,
that also try to interoperate with the WebPKI, and several of the CA
providers within WebPKI are also providers for those other trust
ecosystems, so while aligning might have zero interest for the Sleevi's
of the world, it has impact for a subset of the Forum constituents. My
request for consideration was an attempt potentially make like easier
for those CA members.

In my mind, the whole 13 months itself is arbitrary, the real driver is
shorter life times, so whether we start with 13 months, 14 months, 15
months, or 13 months and 3 hrs - its all just a line in the sand, aimed
at shortening the risk exposure due to issued certificates that will
fail some future risk profile. So being pedantic about precisely
calculating an arbitrary value is just nonsense.

The reasoning behind the 400 vs some other derivative of 13 months was
the 398 was an upper bound (per the logic you have described) plus 2
extra days were given to account for 398-day anniversary falling on a
week-end, so that the key holders and CAs could address any change
during normal business hours.

So to summarize, my request to consider 400 as the upper limit was to
reduce the potential burden on WebPKI CAs who also operate
simultaneously in other PKI based trust communities that have already
set this bound, and also to allow flexibility for anniversaries that
fall on a week-end, so that they can instead be dealt with during normal
business hours - this lowers the impact on the CA and on the customer
key holders.

I don't care what color to paint your bike shed to be honest, but red is
pretty nice, and its well known that the bikes stored in there do go
much faster...

Regards,
-Scott

On 2/10/2017 7:51 PM, Ryan Sleevi wrote:
> 
> 
> On Fri, Feb 10, 2017 at 12:48 AM, Scott Rea <scott at scottrea.com
> <mailto:scott at scottrea.com>> wrote:
> 
>     On 398 vs 400: since your calling up Parkinson's law, you obviously
>     think this item trivial. If it's so trivial from your perspective,
>     yet we have at least a couple of Forum members who have indicated
>     that as their preference, perhaps you can justify why your taking
>     such a hard stance on a trivial item?
> 
> 
> Let's not misrepresent things, Scott.
> 
> By my measures, only a single measure suggested support for your
> proposal
> - https://cabforum.org/pipermail/public/2017-February/009487.html - but
> it wasn't a hard blocker.
> 
> So we really are talking about painting a bikeshed, and we really should
> be making decisions informed by data or for objective reasons, not just
> for pretty numbers.
>  
> 
>     As I said, I am happy enough with other parts of the proposal, just
>     this one "trivial" item gives me pause. The main reason is that
>     other trust communities who have already implemented policy to limit
>     lifetimes along the lines of your proposal, have already chosen 400
>     days as an upper bound - and that was not done purely for asthetics,
>     but deliberately to avoid contention in the community about whose
>     definition of 13 months is correct e.g. is it 395 or 396 or 398 etc.?
> 
> 
> Except 398 days avoids that confusion. So the only remaining difference
> - between 398 days and 400 - is purely aesthetic.
>  
> 
>     Anyway, my point is, there is another PKI trust community who uses
>     WebPKI, who already has a 400 day policy - I am asking for the same
>     because it aligns the two communities.
> 
> 
> Explain to me what value that alignment provides, especially since
> that's not a community involves with the CA/Browser Forum?
> 
> That's akin to making the argument that because red cars are known to be
> faster, we should all own red cars. The premise it rests on is flawed,
> but so too is the (il)logical conclusion.
>  
> 
>     People like even things, and 400 is just 398 rounded, or 396 rounded
>     or 393 rounded. It also conveys an impression of a standards body
>     who is not all bent out of shape and pedantic on trivial issues -
>     and as you pointed out, 398 vs 400 is trivial.
> 
> 
> I would think the fact that we still have a thread about 400 vs 398
> suggests that some members very much are bent out of shape and pedantic
> on trivial issues.
> 
> Given that the Ballot was put forward at 398 days, precisely because you
> offered no evidence as to the value or significance of 398 vs 400 (and
> have still been unable to), is your suggestion that the appearances of
> this community is best served by withdrawing the ballot to accommodate
> your aesthetic desires? Don't you think that will have a greater impact
> as to the negative appearances that you raise concern for?

-- 
Scott Rea, MSc, CISSP
Ph# (801) 874-4114


More information about the Public mailing list