[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Steve Medin Steve_Medin at symantec.com
Thu Feb 2 15:52:16 UTC 2017

If it’s incredibly difficult, how is this a discussion for an industry forum rather than a stated policy technically enforced by the parties who see certificates valid longer than 13 months as a threat to their user base?


From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Wednesday, February 01, 2017 4:17 PM
To: Dean Coclin <Dean_Coclin at symantec.com>
Cc: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates




On Wed, Feb 1, 2017 at 1:01 PM, Dean Coclin <Dean_Coclin at symantec.com <mailto:Dean_Coclin at symantec.com> > wrote:

Is there some rationale for the 12/13 month selection? Why wasn’t 6/9/14/18 months considered? It appears a balance is being sought but it is unclear what parameters are being weighed in this decision process.


As mentioned at a number of F2F, we're happy to go shorter, but don't consider anything longer than 13 months viable. It would be incredibly difficult for any reasonable person to suggest that the convenience benefits (if any) of 14/18 months outweighs the security benefits.


To date, no one in the Forum has proposed 6/9 months, so it didn't seem necessary to introduce that conversation now, especially when CAs are familiar enough with 12/13 month cycles. I'm sure as we see ACME progress in IETF, that the diversity of automated issuance (whether SCEP, ACME, EST, CMC, etc) will have us revisiting that conversation and exploring a further reduction, but it's not one that seems critical to have right now.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170202/5f9a995e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5744 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170202/5f9a995e/attachment-0001.p7s>

More information about the Public mailing list