[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Doug Beattie doug.beattie at globalsign.com
Thu Feb 9 14:59:28 UTC 2017

Starting a new thread where web site administrators can post their questions regarding 13 month TLS certificates.

Posted with permission


the reasons to shorten the lifetime makes no sense. His argument was about faster phasing out SHA1, but as the CA side for the major CAs by paining them to have max. 1 year would not change the clients in enterprises to SHA2 faster, I also got an enquiry on a project to replace the in-house CA with SHA2 and they were not able to manage it earlier, they need the budget and planning, so 13 months for doing similar change to SHA3 would be surrealistic.

The next argument to be able to disable false certificates I also don't agree with. There is OCSP, where is stapling, so if the browsers disable OCSP check by default, why should the CAs need to solve this security weak default setting by let the CAs always issue new certs, its less secure and looks more like a quick and dirty workaround solution for the more secure straightforward solution.

Also this solution requires automatism and I don't agree that automatism is more secure and the trustworthy future. Automatism is always insecure, it's the solution for the bride masses, but no solution for enterprises, it always has weaknesses and may be attackable. Manual work is always under manual control and follow security key requirements like separation of duties, controlled change management, controlled deployment management, ... As I got known, encryption only as fast as wide spread possible is the solution which Google wants to achieve, meanwhile trust isn't important (or Google may tell us, who we should trust).

As I got known, this ballot will fail, if >50% of the browsers decline and/or >1/3 of the CAs. As only Let's Encrypt endorse this idea, as they only believe in encryption and decline any responsibility for whom they issue, I saw scam, spam and phishing sites running Let's Encrypt, this ballot may fail, if all trust driven CAs will decline?
Mit freundlichen Grüßen,
Christian Heutger

ITIL-Expert, PRINCE2-/COBIT 5-Practitioner
DS-/ISO 9001-/ISO 20000-1-/ISO 27001-Auditor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170209/cf25090d/attachment-0002.html>

More information about the Public mailing list