[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Gervase Markham gerv at mozilla.org
Sat Feb 11 18:03:17 UTC 2017

On 10/02/17 23:23, Steve Medin via Public wrote:
> Current standards are 39 and 27 months. Why is it that when we move to
> issuing certificates two or three times more often for some certificate
> buyers, they get one third the time to renew them in advance of their
> expiration?

Counter-question: if someone (currently, not post-ballot) is renewing
their certs every year, why do they need 3 months to install it?

Expansion of question:

Feb 1st 2014: Cert A (Feb 1st 2014 to May 1st 2015) issued to customer
Some time later: cert installed
January 2015: Customer sees renewal coming up, contacts CA
Feb 1st 2015: Cert B (Feb 1st 2015 to May 1st 2016) issued to customer
Some time later: cert installed
etc. each year.

So the validity time beyond 12 months of a "1-year" cert is basically
the time needed to install the cert; you need a bit of extra validity in
order to keep an annual renewal date. So my question is: when and how
does it take as much as 3 months to install a cert, and if it does,
isn't something seriously broken?


More information about the Public mailing list