[cabfpub] Draft Ballot 185 (2) - Limiting the Lifetime of Certificates

Eric Mill eric at konklone.com
Thu Feb 9 03:57:42 UTC 2017

On Wed, Feb 8, 2017 at 8:50 PM, Ryan Sleevi via Public <public at cabforum.org>

> On Wed, Feb 8, 2017 at 3:39 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
> wrote:
>> Sort of. I’d say the CAs have several automated tools available and are
>> continuously improving on them to fit various subscriber use cases, but
>> we’re looking at delays in deployment as customers fit these tools into
>> their work flows, network requirements, and provisioning obstacles. I think
>> we’re on the path towards shorter validity periods, but trying to get most
>> large customers to adopt auto-deployment for their infrastructure by May
>> 2018 will be nearly impossible.
I basically want to say something similar to Ryan's reply -- a 1-year limit
on certificates should not be seen (by CAs or subscribers) as tantamount to
a requirement to adopt auto-deployment for their infrastructure. Manual
rotation every year is reasonable, and I've seen lots of individuals and
enterprises do exactly that.

I also highly doubt that the 56% of the Alexa Top 1000 that use certs with
13-month-or-less timelines are all automating their cert renewal.

1 year is within the tolerance zone for manual rotation.  But if it starts
adding some friction at scale to huge enterprises with many thousands of
manually deployed certificates, that they're used to rotating every 2-3
years, well, that is the intended (positive) effect.

-- Eric

> But one year (and change) certs are useful precisely because they _don't_
> require automatic deployment. That is, the premise is that an action once
> every 13 months (or even 5,000 or 10,000 of those, once every 13 months -
> or spread out over 13 months) is a humanly possible task that absolutely
> does not require automation.
> Automation improves the experience, but it is not, say, a proposal for 3
> month certs - a solution that is _only_ realistically practical with
> automation.
> Perhaps that's the disagreement - that, much like TLS configuration,
> requiring to update a server once a year is not unreasonable.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170208/d89cf665/attachment-0003.html>

More information about the Public mailing list