[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Feb 3 11:20:07 UTC 2017

On 3/2/2017 10:40 πμ, Gervase Markham wrote:
> On 03/02/17 07:52, Dimitris Zacharopoulos via Public wrote:
>> I understand that this does not address all of Ryan's concerns but we
>> need to highlight that Subscribers with a large volume of certificates
>> will have a huge administrative overhead if they need to change these
>> certificates annually.
> Regardless of whether this ballot passes or fails, I hope you can see
> that this situation is a big problem, both for those customers and for
> the ecosystem. If, say, there are misissuances and an intermediate has
> to be revoked, these customers will have big problems if they can't
> change all their certificates quickly. And if there are lots of
> customers like this, it creates a problem for moving quickly to deal
> with security problems.
> Gerv

In a situation like this, there is obviously an impact to customers from 
that Intermediate, regardless of their certificates being valid for 12, 
24 or 36 months. If an Intermediate CA Certificate is distrusted for any 
reason, customers will either switch to another Intermediate or to 
another CA. The number of "active certificates" at that time will be the 
same regardless of certificate expiration dates, and customers will have 
to change certificates no matter what.

So far, Root programs take a case-by-case approach for missisuances that 
might require revocation of an intermediate. Worst case scenario for 
customers of the CA in question, is the revocation/distrust of an 
Intermediate or a Root. In recent examples, it was decided that after a 
certain date, certificates should no longer be issued from a problematic 
intermediate and there are controls to monitor this. I believe this 
action would still take place, and exceptions would be implemented by 
Browsers to protect customers even if their certificates  expired after 
12 months. In any case, if an Intermediate CA Certificate must be 
distrusted, giving a reasonable deadline for customers to change 
Intermediate or CA before enforcing the distrust, is also an option.


More information about the Public mailing list