[cabfpub] Draft Ballot 185 (2) - Limiting the Lifetime of Certificates

Gervase Markham gerv at mozilla.org
Thu Feb 9 09:16:36 UTC 2017

On 08/02/17 20:24, Ryan Sleevi via Public wrote:
> At this point, I believe I've addressed all meaningful objections or
> concerns raised, and would like to see this proceed. I've had several
> offers for endorsement privately, but to avoid any misinterpretations,
> I'll let them re-confirm on the list and we can proceed to a vote.

This change is a significant one, but considering all of the points
raised, Mozilla does believe that it will be an important improvement in
ecosystem agility. The future is always uncertain, but with cryptography
coming under ever more scrutiny, and the rise of quantum computers (and
with post-quantum crypto not yet really in a deployable state), keeping
the WebPKI "on its toes" is a wise and forward-looking security posture.

We feel that the 13-ish months proposal does not _require_ automation,
and so is compatible with today's deployment practices, but also
encourages people _towards_ automation, which is another good thing.

Such a change will take time - because there will be an introductory
period, and then all the 3.25-year certs will need to work their way out
of the system. Using Ryan's date of 1st of May 2017, the WebPKI will not
be in a position where 13 months truly is the maximum outstanding
certificate lifetime until 1st July 2019, which is two and a half years
from now. And it will not be in a position where every certificate was
issued 13 months ago or less, thereby incorporating recent best
practices, until a further year after that, 1st August 2020. This shows
me that this change should not be delayed any further than this
timetable proposed.

So, after consideration, I endorse this ballot on behalf of Mozilla.


More information about the Public mailing list