[cabfpub] RE: Reply: Ballot 185 (Revised) - Limiting the Lifetime ofCertificates

zhangyq zhangyq at gdca.com.cn
Wed Feb 22 09:12:21 UTC 2017 

GDCA votes “NO”, and our reasons are as follows:


1. Despite that the reduction in the validity period of certificates seems to be reasonable and irresistible in the long run, we hold the view that a 27 months validity period at the current stage is reasonable.
2. A one year implementation period will be better for CAs, resellers and enterprise customers to get ready for the change.


Thanks.


原始邮件
发件人:张翼 via Publicpublic at cabforum.org
收件人:'CA/Browser Forum Public Discussion List'public at cabforum.org
抄送:张翼zhangyi at cfca.com.cn; zhaoyuzhaoyu at cfca.com.cn; '赵烨昕'zhaoyexin at cfca.com.cn; '牛帅'niushuai at cfca.com.cn
发送时间:2017年2月22日(周三) 10:30
主题:[cabfpub] Reply: Ballot 185 (Revised) - Limiting the Lifetime ofCertificates


CFCA votes “NO” on Ballot 185

For the Lifetime of Certificates:
We agree that in the long run, reduce lifetime of Certificates is reasonable. We also believe that the EV standard right now (Max 27Months / 2 years) is enough for security. And as Robin says “Usable security”.
In other word, we do not find it critical to change OV(39 months limit) and EV (27months limit) all to 398 days.
In our point of view, limit all end-certificate’s Lifetime to 27months(The highest standard right now) is a more reasonable choice.

For the Effective Date:
For this kinds of change and limitation, 1 year or more time is needed for both CA and their customer, please consider the period that changing 60 months to 39/27months.

For Google’s statement:

 Given that should the Baseline Requirements fail to show consensus, the
 next step will be to require these changes as part of a browser program –
 both as to considering a certificate trusted and to considering a certificate
 misissued - in order to ensure security needs are met. As such, it would
 helpful that those voting NO provide concrete and actionable reasons as
 to the concerns, so as to inform what conditions that the CA might
 consider it acceptable. Failure to articulate concerns simply means that
 such concerns cannot be given any consideration before taking action.

Well, “next step will be to require these changes as part of a browser program” 
Personally when I read this paragraph ,King Robert Baratheon is in my head ”I'm the king, I get what I want”
We respect Google’s effort on security, such as CT, we understand that Google controls Android trusted store and Chrome and Google is the Pioneer in field of Security.
But please do consider the opinions and concerns from CA and their customer.
I kindly suggest that we discuss this on the upcoming CAB forum F2F meeting 40 and do not be hurry to make hard decision .

A natural consequence of this is that you see Root Store members already –
and have always had - requirements that go above and beyond what the Baseline
Requirements require. You can see this very evidently through the policies of both
Microsoft ( https://aka.ms/rootcert ) and
Mozilla (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ )

For the fact the trust store may add more restriction to BR,
Most time it’s BR request “A” we also need you to do “B”,
not “A” is not good, so forget about BR, we request “B”

Regards.
Zhang Yi
CFCA

发件人: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 代表 Robin Alden via Public
发送时间: 2017年2月18日 1:32
收件人: 'CA/Browser Forum Public Discussion List'
抄送: Robin Alden
主题: Re: [cabfpub] Ballot 185 (Revised) - Limiting the Lifetime of Certificates

Comodo votes "NO".

 Given that should the Baseline Requirements fail to show consensus, the
 next step will be to require these changes as part of a browser program –
 both as to considering a certificate trusted and to considering a certificate
 misissued - in order to ensure security needs are met. As such, it would
 helpful that those voting NO provide concrete and actionable reasons as
 to the concerns, so as to inform what conditions that the CA might
 consider it acceptable. Failure to articulate concerns simply means that
 such concerns cannot be given any consideration before taking action.

Google are going to impose a 398-day maximum validity period in Chrome regardless of the outcome of this vote, right?

We are committed to security. Usable security. We represent many
certificate holders who do not yet have sufficient technical expertise,
manpower and/or automation to be able to cope with this proposed
reduction in the maximum validity period.

Carefully consider the commitment to usability of any browser which votes Yes!

Regards
Robin Alden
Comodo

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: 13 February 2017 19:18
To: CABFPub public at cabforum.org
Cc: Ryan Sleevi sleevi at google.com
Subject: [cabfpub] Ballot 185 (Revised) - Limiting the Lifetime of Certificates

Pursuant to the consensus onhttps://cabforum.org/pipermail/public/2017-February/009530.html about the nature of changes during the discussion period, and the request from Gervase onhttps://cabforum.org/pipermail/public/2017-February/009618.html to adjust what represents the Baseline agreement, this adjusts the effective date from 1 April to 24 August. While individual programs may choose to enact or enforce requirements prior to that, as the Baseline Requirements capture the effective point of common agreement of the bare minimum security levels, it seems appropriate that this Ballot accurately reflect that.


Ballot 185 - Limiting the Lifetime of Certificates

The following motion has been proposed by Ryan Sleevi of Google, Inc and endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to introduce new Final Maintenance Guidelines for the "Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates" and the "Guidelines for the Issuance and Management of Extended Validation Certificates"

-- MOTION BEGINS --
Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates" as follows:

Replace Section 6.3.2, which reads as follows:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods

Subscriber Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months.
Except as provided for below, Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period
no greater than 39 months.

Until 30 June 2016, CAs MAY continue to issue Subscriber Certificates with a Validity Period greater than 39
months but not greater than 60 months provided that the CA documents that the Certificate is for a system or
software that: 
(a) was in use prior to the Effective Date; 
(b) is currently in use by either the Applicant or a substantial number of Relying Parties; 
(c) fails to operate if the Validity Period is shorter than 60 months;
(d) does not contain known security risks to Relying Parties; and 
(e) is difficult to patch or replace without substantial economic outlay
"""

with the following text:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods

Subscriber Certificates issued on or after 24 August 2017 MUST NOT have a Validity Period greater than three hundred and ninety-eight (398) days.

Subscriber Certificates issued prior to 24 August 2017 MUST NOT have a Validity Period greater than thirty-nine (39) months.
"""

Modify Section 9.4 of the "Guidelines for the Issuance and Management of Extended Validation Certificates" as follows:

Replace Section 9.4, which reads as follows:
"""
9.4. Maximum Validity Period For EV Certificate

The validity period for an EV Certificate SHALL NOT exceed twenty seven months. It is RECOMMENDED that EV
Subscriber Certificates have a maximum validity period of twelve months.
"""

with the following text:
""""
9.4 Maximum Validity Period for EV Certificate

EV Certificates issued on or after 24 August2017 MUST NOT have a Validity Period greater than three hundred and ninety-eight (398) days.

EV Certificates issued prior to 24 August2017 MUST NOT have a Validity Period greater than twenty seven (27) months.
"""
-- MOTION ENDS --

Ballot 185 - Limiting the Lifetime of Certificates
Status: Final Maintenance Guideline

Review Period:
Start Time: 2017-02-10 00:00:00 UTC
End Time: 2017-02-17 00:00:00 UTC

Vote for Approval:
Start Time: 2017-02-17 00:00:00 UTC
End Time: 2017-02-24 00:00:00 UTC

Votes must be cast by posting an on-list reply to this thread on the Public Mail List.

A vote in favor of the ballot must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting Member before the close of the voting period will be counted. Voting Members are listed here: https://cabforum.org/members/

In order for the ballot to be adopted, two thirds or more of the votes cast by Members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170222/e4a2b8f9/attachment-0002.html>

More information about the Public mailing list