[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Geoff Keating geoffk at apple.com
Mon Feb 13 08:24:55 UTC 2017

> On Feb 11, 2017, at 10:03 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> So the validity time beyond 12 months of a "1-year" cert is basically
> the time needed to install the cert; you need a bit of extra validity in
> order to keep an annual renewal date. So my question is: when and how
> does it take as much as 3 months to install a cert, and if it does,
> isn't something seriously broken?

Suppose you have a very large system on which many people rely.  It would be irresponsible to just directly install a certificate on each of the front-end hosts, especially if something had changed such as a new intermediate or a different algorithm; prudent practice would be to initially put it on a QA system, test that against all relevant clients, move to a staging host that is identical to production but not actually used by clients, confirm it does function there, then deploy in a gradual fashion to the actual production hosts.

This process can easily take more than a month.

Now, normally, the new certificate is the same as the old one except for dates and the key, those you might deploy initially in staging on the grounds that it’ll probably work, but it’s still prudent to do a round of testing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170213/567f986b/attachment-0001.p7s>

More information about the Public mailing list