[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Gervase Markham gerv at mozilla.org
Mon Feb 13 09:05:01 UTC 2017

On 13/02/17 08:24, Geoff Keating wrote:
> Suppose you have a very large system on which many people rely.  It
> would be irresponsible to just directly install a certificate on each
> of the front-end hosts, especially if something had changed such as a
> new intermediate or a different algorithm; 

If that had happened, I'm sure a good CA would have warned their
customers of the upcoming change in certificate "style" and provided
them with whatever test certificates they needed. One does not have to
wait until certificate renewal is due in order to conduct this sort of

> Now, normally, the new certificate is the same as the old one except
> for dates and the key, those you might deploy initially in staging on
> the grounds that it’ll probably work, but it’s still prudent to do a
> round of testing.

Sure. But if it's identical apart from dates (often) or dates and key,
does it really need a month of testing?

Again, if it's not possible to deploy a new cert faster than that,
something is broken somewhere, and it's not the certificate's lifetime.


More information about the Public mailing list