[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Kirk Hall Kirk.Hall at entrustdatacard.com
Mon Feb 13 17:37:44 UTC 2017


Yes, we all need reminding of things that are not inherently fun to do - I have some overdue reminders on my calendar now.  I wish we could all be perfect and always on time.  We wanted to avoid the panic from website owners who suddenly discover their certs are expiring on Sunday afternoon.  So far, it's worked pretty well - CAs are certainly persistent in their reminders, as the sooner we can sell a renewal certificate, the better.

But saying now that no buffer period should be allowed does not reflect how website owners (or people) really are.  Taking this position now would also be quite a shift from when the EVGL and BRs were adopted, when there was no opposition (so far as I can recall) from browsers to a buffer period.

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Monday, February 13, 2017 9:13 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

On 13/02/17 16:17, Kirk Hall via Public wrote:
> One other point I don't think was made - as I recall, the extra months 
> added to 24 or 36 month certificates are intended to be a buffer in 
> case the customer is late in renewing.  Even though we start reminding 
> customers that their certificates will expire before the end of 24 or 
> 36 months, a surprising number of customers can be slow in completing 
> all the renewal steps, especially for OV and EV renewals.

The thing about this argument is that it's an "how long is a piece of string" argument. I'm sure there's one or two customers who have run off the end of the "extra" 3 months and their certs have expired, at which point they've suddenly woken up and got the renewal process in gear.
Does this mean we should add more than 3 months as "buffer"? No, it means however often you remind them, there are always customers who won't pay attention until their certs expire.

If a particular customer seems to need 5 months warning to replace a certificate (again, like a broken record, I repeat: if this is the case, something is terribly wrong, but it's not the length of the lifetime of their cert), you need to start reminding them about it 4 months before the expiry.

Gerv



More information about the Public mailing list