[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Scott Rea scott at scottrea.com
Fri Feb 10 18:14:00 UTC 2017

I think that is a good summary Ryan.

We are essentially weighing up the difference of adding 2 days to the
minimal possible time for a potential screw up vs a potential
significant reduction in effort for some CAs who accommodate multiple
trust communities.

I think the latter outweighs the former, and actually reduces the risk
of a correct implementation of the former by those who fall into the
category of multi-trust community support. Lower risk because their
renewal algorithms only need to accommodate the one value rather than
having to check which trust community it is, decide which one takes
precedence if its both, and implement a different value depending on the
outcome. Simpler algorithm, should be lower risk, faster implementation.

400 is a win-win, whereas 398 is a win-we-don't-give-a-crap...


On 2/10/2017 10:04 PM, Ryan Sleevi wrote:
> On Fri, Feb 10, 2017 at 10:01 AM, Scott Rea <scott at scottrea.com
> <mailto:scott at scottrea.com>> wrote:
>     Well I am not a voting member (yet), so feel free to ride rough shod
>     over what I am saying, not because you are correct, but because you
>     can...
>     You missed entirely what I was saying Ryan. Peter's calculation is
>     technical - I agree, this is why you correctly chose days as the period
>     to be included in the standard. But my point is that Andrew's original
>     argument for 13 months is arbitrary - I could make the same argument for
>     14 months, its just a line in the sand...
>     To be clear - I agree that 398 days is a technical representation of an
>     upper bound on 13 months. I disagree that 13 months is objective, and as
>     such, 400 days accomplishes the same objective, with lower expected
>     implementation effort for some of the CAs in the Forum.
>     I still advocate for 400 days.
> OK, so it's really a debate between our preferences - an expressed
> preference for 365 days on this side, and your desire for longer - and
> the question as to whether 398 or 400 is an acceptable compromise
> between those preferences. 398 has the benefit that it's the smallest
> possible value that accommodates the needs expressed, while also
> minimizing screwing up. 

Scott Rea, MSc, CISSP
Ph# (801) 874-4114

More information about the Public mailing list