[cabfpub] Certificate validity periods

Gervase Markham gerv at mozilla.org
Tue Feb 7 15:09:09 UTC 2017

On 07/02/17 05:15, Peter Bowen via Public wrote:
> Assuming we all agree that
> subscribers expect the certificates they already have to continue to
> work until they expire, then the only way to increase the rate of
> change is to reduce the maximum duration of validity.

For me, this is the key argument. Subscribers, I would postulate (not
being a CA), don't like it when they get a call saying "even though we
sold you a 2-year cert six months ago, you need to change it now". And
many customers won't get the message anyway. I would like us to be able
to make improvements to the CA ecosystem and have them fully worked
through the system in a reasonable amount of time. The only way to do
that without massive customer disruption is to shorten maximum validity
periods, because customers will (almost!) always be aware of and have
marked the expiry date of the new certificate they received as an
important date by when they need to take action.

> I think the answer to #2 is the lynchpin.  Certificates can be quite
> complex to install on some systems, frequently requiring downtime of
> the system.  How often should this be required?

Again, for reasons of ecosystem agility and for better response to
incidents, I would like to see automation much more widely deployed, but
I recognise that's not the world we live in right now. So an immediate
move to a probably-need-to-automate max validity like 3 months is not
yet feasible. But I also think something like 2 years, while an
improvement, would not drive the kind of change that is needed here. So
I am coming to the conclusion that the 400 days proposal is the correct
next step for the Forum here.

(If people have other suggestions for encouraging the system towards
automation, it would be great to hear those. But perhaps in a separate


More information about the Public mailing list