[cabfpub] Draft Ballot 185 (2) - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Thu Feb 9 01:50:38 UTC 2017

On Wed, Feb 8, 2017 at 3:39 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

> Sort of. I’d say the CAs have several automated tools available and are
> continuously improving on them to fit various subscriber use cases, but
> we’re looking at delays in deployment as customers fit these tools into
> their work flows, network requirements, and provisioning obstacles. I think
> we’re on the path towards shorter validity periods, but trying to get most
> large customers to adopt auto-deployment for their infrastructure by May
> 2018 will be nearly impossible.

But one year (and change) certs are useful precisely because they _don't_
require automatic deployment. That is, the premise is that an action once
every 13 months (or even 5,000 or 10,000 of those, once every 13 months -
or spread out over 13 months) is a humanly possible task that absolutely
does not require automation.

Automation improves the experience, but it is not, say, a proposal for 3
month certs - a solution that is _only_ realistically practical with

Perhaps that's the disagreement - that, much like TLS configuration,
requiring to update a server once a year is not unreasonable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170208/0874991e/attachment-0003.html>

More information about the Public mailing list