[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Rob Stradling rob.stradling at comodo.com
Fri Feb 10 17:28:31 UTC 2017

On 10/02/17 17:04, Ryan Sleevi via Public wrote:
> Absent this change, if Browsers were to require that all new
> certificates contain the id-kp-serverAuth EKU, from intermediates that
> contain the id-kp-serverAuth EKU, from roots that contain the
> id-kp-serverAuth EKU - as a very simple example - how long do you
> believe this migration would take?

Nitpicking this particular example:

Most root certificates don't contain the EKU extension.  Persuading some 
browser root programs to accept new root certificates can take MANY, 
MANY YEARS!  A 13-month maximum validity period for leaf certs would not 
improve that particular situation.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list