[cabfpub] Draft Ballot 186 - Limiting the Reuse of Validation Information

Gervase Markham gerv at mozilla.org
Fri Feb 3 12:51:59 UTC 2017

On 03/02/17 12:20, Dimitris Zacharopoulos wrote:
> customers will have
> to change certificates no matter what.

Right. So my point is, we should be moving the ecosystem towards
automation for certificate renewals.

> In recent examples, it was decided that after a
> certain date, certificates should no longer be issued from a problematic
> intermediate and there are controls to monitor this. I believe this
> action would still take place, and exceptions would be implemented by
> Browsers to protect customers even if their certificates  expired after
> 12 months. 

You should not rely on this always being the case. It depends on the
incident. For example, if a problem has persisted for some time and is
only then discovered, a time-based distrust may not be appropriate.

> In any case, if an Intermediate CA Certificate must be
> distrusted, giving a reasonable deadline for customers to change
> Intermediate or CA before enforcing the distrust, is also an option.

Whether some leeway can be given here depends, again, on the severity of
the problem. It should not be relied upon that there will always be
some, or any time given.

My view is that CAs would be serving their customers well if it were
arranged that any customer could renew all of their certificates in a
matter of hours if necessary.


More information about the Public mailing list