[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Feb 13 16:17:42 UTC 2017

One other point I don't think was made - as I recall, the extra months added to 24 or 36 month certificates are intended to be a buffer in case the customer is late in renewing.  Even though we start reminding customers that their certificates will expire before the end of 24 or 36 months, a surprising number of customers can be slow in completing all the renewal steps, especially for OV and EV renewals.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Monday, February 13, 2017 1:05 AM
To: Geoff Keating <geoffk at apple.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

On 13/02/17 08:24, Geoff Keating wrote:
> Suppose you have a very large system on which many people rely.  It 
> would be irresponsible to just directly install a certificate on each 
> of the front-end hosts, especially if something had changed such as a 
> new intermediate or a different algorithm;

If that had happened, I'm sure a good CA would have warned their customers of the upcoming change in certificate "style" and provided them with whatever test certificates they needed. One does not have to wait until certificate renewal is due in order to conduct this sort of testing.

> Now, normally, the new certificate is the same as the old one except 
> for dates and the key, those you might deploy initially in staging on 
> the grounds that it’ll probably work, but it’s still prudent to do a 
> round of testing.

Sure. But if it's identical apart from dates (often) or dates and key, does it really need a month of testing?

Again, if it's not possible to deploy a new cert faster than that, something is broken somewhere, and it's not the certificate's lifetime.


Public mailing list
Public at cabforum.org

More information about the Public mailing list