[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Scott Rea scott at scottrea.com
Fri Feb 10 17:30:09 UTC 2017


I am not defending the calculations used to justify 400, only reporting
how that community arrived at 400 as their "line in the sand". As Ryan
has pointed out, CAs can manage the public holidays and weekends etc -
what is important, is that there is a line in the sand that everyone
agrees to and adheres to.

My point is that there is prior art - albeit in another trust community,
that chose 400 as their line in the sand. Some of the CAs (including
your own I believe) operate in that community and in WebPKI, so to make
it less burdensome on those CAs to comply with different policies
amounting to different numbers or lines in the sand, why cant we make
them the same?


On 2/10/2017 9:05 PM, Rob Stradling wrote:
> On 10/02/17 16:44, Ryan Sleevi via Public wrote:
>> On Fri, Feb 10, 2017 at 8:25 AM, Scott Rea wrote:
>>     The reasoning behind the 400 vs some other derivative of 13 months
>> was
>>     the 398 was an upper bound (per the logic you have described) plus 2
>>     extra days were given to account for 398-day anniversary falling on a
>>     week-end, so that the key holders and CAs could address any change
>>     during normal business hours.
> Weekends are a regular disruption to business hours, but they aren't the
> only such disruption during the course of a year.
> Consider a certificate issued to a US subscriber that expires on
> Thursday November 23rd 2017.  Normal business hours won't resume until 4
> days later.
> http://www.officeholidays.com/countries/usa/
> Ditto for a certificate issued to a UK subscriber that expires on Friday
> 14th April 2017.
> https://www.gov.uk/bank-holidays
> Would that justify an additional 2 extra days?

Scott Rea, MSc, CISSP
Ph# (801) 874-4114

More information about the Public mailing list