[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Doug Beattie doug.beattie at globalsign.com
Thu Feb 9 21:58:37 UTC 2017

I know GlobalSign has SHA-1 certs that expire in the future, I still stay block them.  There should not that many and one would hope that they are not even being used (much).  The browsers have been conveying degraded UI on these for a long time, so blocking them is the next logical step.  I don’t see the whole fatigue issue being so critical now, you’ve fatigued users for the past year or more so I don’t this as making the problem any worse.  Block them.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, February 9, 2017 4:34 PM
To: Doug Beattie <doug.beattie at globalsign.com>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Sure, and I say we should solve global warming, income inequality, world hunger, P versus NP, and unicorn cloning.

Unfortunately, such statements ignore the part of the message I highlighted
"But this also demonstrates the balance that browsers face when charged with protecting their users - do we block access to these sites (as Chrome is doing, and as Microsoft will around February 15) or not? If we do block these sites, we run the risk of causing the average user to see too many of these messages a day, thus succumbing to warning fatigue, and causing them to ignore these warnings when their information is truly at risk. This makes everyone less secure - either through warning fatigue or through lack of automatic protection."

If you'd like, I'd be happy to find GlobalSign certificates that have this problem, and we can then have a public discussion about what specific communications GlobalSign made to these subscribers, and whether or not such efforts are sufficient for browsers to justify blocking them. Because effectively, that is what it would take to help inform and illuminate that discussion, given the current evidence.

On Thu, Feb 9, 2017 at 1:30 PM, Doug Beattie <doug.beattie at globalsign.com<mailto:doug.beattie at globalsign.com>> wrote:
I say go ahead and block them, they’ve all been warned and should be prepared for the consequences.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170209/5631e062/attachment-0003.html>

More information about the Public mailing list