[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Gervase Markham gerv at mozilla.org
Mon Feb 13 17:13:05 UTC 2017

On 13/02/17 16:17, Kirk Hall via Public wrote:
> One other point I don't think was made - as I recall, the extra
> months added to 24 or 36 month certificates are intended to be a
> buffer in case the customer is late in renewing.  Even though we
> start reminding customers that their certificates will expire before
> the end of 24 or 36 months, a surprising number of customers can be
> slow in completing all the renewal steps, especially for OV and EV
> renewals.

The thing about this argument is that it's an "how long is a piece of
string" argument. I'm sure there's one or two customers who have run off
the end of the "extra" 3 months and their certs have expired, at which
point they've suddenly woken up and got the renewal process in gear.
Does this mean we should add more than 3 months as "buffer"? No, it
means however often you remind them, there are always customers who
won't pay attention until their certs expire.

If a particular customer seems to need 5 months warning to replace a
certificate (again, like a broken record, I repeat: if this is the case,
something is terribly wrong, but it's not the length of the lifetime of
their cert), you need to start reminding them about it 4 months before
the expiry.


More information about the Public mailing list