[cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

Peter Bowen pzb at amzn.com
Sat Feb 11 19:26:03 UTC 2017


Kirk,

If we assume that the objective is to move to 13 month/398 days/400 days (pick any) as maximum duration between notBefore and notAfter and to prohibit notBefore from being more than one week different from when the CA signs the certificate, how long do you think CAs would need for implementation (e.g. contract revision, re-seller system updates, etc)?

Thanks,
Peter

> On Feb 11, 2017, at 11:21 AM, Kirk Hall via Public <public at cabforum.org> wrote:
> 
> One other factor to consider, Gerv, is that many CAs have distribution agreements with partners and resellers, and also long term agreements in place with customers.  A sudden change to all these relationships, including elimination of product offerings that were included in the agreements, is at the very least difficult (for example, partners and resellers will have to re-gear their systems, change their websites, alter their own contracts, etc.) and could even lead to contract/legal problems.
> 
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
> Sent: Saturday, February 11, 2017 9:49 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Gervase Markham <gerv at mozilla.org>
> Subject: Re: [cabfpub] Ballot 185 - Limiting the Lifetime of Certificates
> 
> On 09/02/17 21:08, Ryan Sleevi via Public wrote:
>> Ballot 185 - Limiting the Lifetime of Certificates
>> 
>> The following motion has been proposed by Ryan Sleevi of Google, Inc 
>> and endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to 
>> introduce
> 
> Having endorsed this, I confess I was thinking more about the maximum certificate lifetime (which I do support as a target we need to get to, and soon) than about the lead time - which, by the time this ballot passes, will be about 2 months and a week. Given the level of ongoing engagement with the question, having agreed to endorse I was also a little surprised to see us enter the formal discussion period so soon.
> 
> In one sense, the argument that "this is just a change of a number in some certificate profiles" is right. In another sense, I accept that it does take time to adjust customer expectations, even if the different action required by said customer may be a year or more in the future.
> While it might be argued CAs should have asked their customers about the potential impact of this change after previous discussions, it's not reasonable to suggest that they should have been preparing them for its enactment before any ballot was passed.
> 
> There are some ways a lifetime ballot might be constructed to ease this difficulty, some of which even keep a May date for this first step, but they are not in the realm of the sort of minor adjustment historically permitted to ballots during the formal discussion period.
> 
> I therefore request that the applicability date in this ballot be changed from 1st May 2017 to, at the earliest, 24th August 2017, 6 months after the ballot voting end date. 6 months has been floated before as a reasonable lead time for high-impact changes, so I hope this will remove that point of objection even for those who feel this change is high-impact.
> 
> As the voting period begins on Thu/Fri next week, I hope we can apply this change soon, and continue from there with a process of thoughtful listening and discussion on that basis.
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list