[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Phillip Hallam-Baker philliph at comodo.com
Mon Feb 13 17:46:22 UTC 2017

> On Feb 10, 2017, at 9:53 AM, Ryan Sleevi <sleevi at google.com> wrote:
> On Fri, Feb 10, 2017 at 9:30 AM, philliph at comodo.com <mailto:philliph at comodo.com> <philliph at comodo.com <mailto:philliph at comodo.com>> wrote:
> So what are these other reasons that I am ignoring?
> From https://cabforum.org/pipermail/public/2017-February/009410.html <https://cabforum.org/pipermail/public/2017-February/009410.html> , which I linked to you previously:
> "Consider the impact of Ballot 169”

I don’t see any implication for validation criteria at all. If a validation criteria is faulty, the WebPKI tool designed to address it is revocation.

The longer a certificate has been issued and in use, the less concern I have for the original validation criteria. There is currently no incentive for malefactors to apply for and stockpile certificates. Most of the time, they will use the certificate as fast as possible before the phished credit card payment is challenged and it is revoked.

The need for re-validation because the facts may have changed is a different problem. But EV already has a two year period.

> "Consider any reform about extensions and their content”

As previously pointed out, the transition time for the browsers will have to run for a couple of extra years. Not a big issue. 

> "Consider how the long validity period of certificates has artificially suppressed the need for automation”

That is a very bad argument. Creating a problem to force people to solve it is totally uncool.

> "Consider the challenges in distrusting a CA”

Again, that is a revocation problem.

> Each of these seems like distinct points.

Seems to me that the real motivation for this proposal is that you folk turned off revocation, that has consequences and you now want to rewrite the rest of the infrastructure to avoid reconsidering the original mistake.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170213/fbeb2b15/attachment-0003.html>

More information about the Public mailing list