[cabfpub] Draft Ballot 185 (2) - Limiting the Lifetime of Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Wed Feb 8 23:39:58 UTC 2017

Sort of. I’d say the CAs have several automated tools available and are continuously improving on them to fit various subscriber use cases, but we’re looking at delays in deployment as customers fit these tools into their work flows, network requirements, and provisioning obstacles. I think we’re on the path towards shorter validity periods, but trying to get most large customers to adopt auto-deployment for their infrastructure by May 2018 will be nearly impossible.




From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Wednesday, February 8, 2017 2:32 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft Ballot 185 (2) - Limiting the Lifetime of Certificates




On Wed, Feb 8, 2017 at 1:09 PM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

Hopefully there are a lot more relying parties than server operators (which is what the CA’s represent)! I know we’ve recently been polling our customers on their support to move to one year certs, and there isn’t quite the automation levels needed for us to support this ballot. We support the drive towards automation and have been helping customers build automated tools for provisioning and deployment, but the customers aren’t quite there.  Hence, May 2017 is far too aggressive of timeline to meet in moving towards 13 month certs. We do strongly support moving to shorter validity periods (for the reasons Ryan cited), but I think May is an unrealistic timeframe.


Jeremy, just to make sure I understand this argument: It appears you're suggesting that 13 months is too onerous for human to do, and thus requires automation, and thus requires more time to phase in. Is that a correct understanding of your objection?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170208/9601e21a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170208/9601e21a/attachment-0001.p7s>

More information about the Public mailing list