[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information
Dimitris Zacharopoulos
jimmy at it.auth.gr
Fri Feb 3 11:20:07 UTC 2017
On 3/2/2017 10:40 πμ, Gervase Markham wrote:
> On 03/02/17 07:52, Dimitris Zacharopoulos via Public wrote:
>> I understand that this does not address all of Ryan's concerns but we
>> need to highlight that Subscribers with a large volume of certificates
>> will have a huge administrative overhead if they need to change these
>> certificates annually.
> Regardless of whether this ballot passes or fails, I hope you can see
> that this situation is a big problem, both for those customers and for
> the ecosystem. If, say, there are misissuances and an intermediate has
> to be revoked, these customers will have big problems if they can't
> change all their certificates quickly. And if there are lots of
> customers like this, it creates a problem for moving quickly to deal
> with security problems.
>
> Gerv
In a situation like this, there is obviously an impact to customers from
that Intermediate, regardless of their certificates being valid for 12,
24 or 36 months. If an Intermediate CA Certificate is distrusted for any
reason, customers will either switch to another Intermediate or to
another CA. The number of "active certificates" at that time will be the
same regardless of certificate expiration dates, and customers will have
to change certificates no matter what.
So far, Root programs take a case-by-case approach for missisuances that
might require revocation of an intermediate. Worst case scenario for
customers of the CA in question, is the revocation/distrust of an
Intermediate or a Root. In recent examples, it was decided that after a
certain date, certificates should no longer be issued from a problematic
intermediate and there are controls to monitor this. I believe this
action would still take place, and exceptions would be implemented by
Browsers to protect customers even if their certificates expired after
12 months. In any case, if an Intermediate CA Certificate must be
distrusted, giving a reasonable deadline for customers to change
Intermediate or CA before enforcing the distrust, is also an option.
Dimitris.
More information about the Public
mailing list