[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Fri Feb 3 23:00:54 UTC 2017

I'll try to simplify the replies, because it seems that giving a long list
of reasons is causing too much confusion:

1) Do you acknowledge and agree that a shorter-lived certificate makes for
a natural revocation?
2) Do you acknowledge and agree that a shorter-lived certificate ensures
that policies regarding new issuance can come in effect quicker than the
current system?

Your attempts to ignore the SHA-1 issue are surprising. I would have
thought the data that Microsoft shared regarding their efforts to deprecate
this - due to the security risk to their users - while minimizing impact -
would have unquestionably shown why this was necessary. To recap and
refresh - the significant challenge reported was due to the long-lived
nature of the certificates meaning that disabling SHA-1 - thus protecting
the ecosystem - would and did cause considerable impact.

The irony here of your objections to continuing the SHA-1 discussion is
that, anticipating these problems, Google tried to help communicate to
users and site operators the risk that CAs' repeated failures would cause,
and the CA Security Council objected to this. So we have a situation where
CAs are not actually trying to help the ecosystem (or their users) be more
secure, we have ample evidence how the practice of long-lived certs
prevents meaningful improvement, and CAs objecting to any and all efforts
to improve the ecosystem to date that don't involve CRLs/OCSP, a set of
unusable technologies in part due to CAs poisoning that well. That's not a
healthy ecosystem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170203/287979ba/attachment-0003.html>

More information about the Public mailing list