[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Scott Rea scott at scottrea.com
Fri Feb 10 18:01:22 UTC 2017

Well I am not a voting member (yet), so feel free to ride rough shod
over what I am saying, not because you are correct, but because you can...

You missed entirely what I was saying Ryan. Peter's calculation is
technical - I agree, this is why you correctly chose days as the period
to be included in the standard. But my point is that Andrew's original
argument for 13 months is arbitrary - I could make the same argument for
14 months, its just a line in the sand...

To be clear - I agree that 398 days is a technical representation of an
upper bound on 13 months. I disagree that 13 months is objective, and as
such, 400 days accomplishes the same objective, with lower expected
implementation effort for some of the CAs in the Forum.

I still advocate for 400 days.


On 2/10/2017 9:36 PM, Ryan Sleevi wrote:
> On Fri, Feb 10, 2017 at 9:23 AM, Scott Rea <scott at scottrea.com
> <mailto:scott at scottrea.com>> wrote:
>     Ryan, I think I may have missed something in your earlier argument
>     because I don't agree that 398 is an "...objective technical value".
>     Isn't 398 just your representation of an upper bound on 13 months?
> No. It was chosen for precise technical considerations. You can see them
> enumerated in
> https://cabforum.org/pipermail/public/2017-February/009449.html 
> 398 days represents the maximum validity period that accounts for all
> possible 'special' cases - leap years, 31 day months, and leap seconds
> (which might cause rounding errors). It is the smallest possible value
> which is difficult to get right.
>     When introducing new policies, doesn't it behoove us to take a look at
>     other trust communities who may have already tried to solve the same
>     issue to see if there is anything we can learn, rather than reinventing
>     the wheel every time?
> I do think this is very valuable, but you have to yet to show anything
> that we can or should learn - that is, objective technical value. You've
> shared with us that another community chose 400 days, but you've yet to
> advance any reasonable technical consideration as to why 400 is better,
> objectively, than 398. The only argument that has so far not been shown
> as incorrect is the aesthetic one.
>     Your 398 is NOT objective, its arbitrary, just as 400 is arbitrary.
>     Choosing 398 increases the burden of implementation for some CAs,
>     choosing 400 reduces the burden for some CAs, as such, I don't see 398
>     as the best choice.
> It sounds like you may have missed Peter's message, but hopefully that
> clarifies why 398 is objective. Similarly, the original discussion about
> why "13 months" rather than "12 months" was already captured in
> https://cabforum.org/pipermail/public/2017-January/009380.html
> Hopefully that clarifies any confusion and better explains why I still
> don't believe any change is necessary to accommodate your wish. 

Scott Rea, MSc, CISSP
Ph# (801) 874-4114

More information about the Public mailing list