[cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

Dean Coclin Dean_Coclin at symantec.com
Thu Feb 16 01:54:06 UTC 2017

This is still a relatively short implementation time for the change being considered, especially given product roadmaps handling other high impact items (i.e. CT) in the same time window.

Also, I don't think anyone disagrees with the "shorter is better" argument but "how short" still seems to be a contested  topic, at least for some.

But thanks for showing some flexibility and I'm hopeful a F2F discussion will allow all parties to come to consensus.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Saturday, February 11, 2017 9:49 AM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: Re: [cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

On 09/02/17 21:08, Ryan Sleevi via Public wrote:
> Ballot 185 - Limiting the Lifetime of Certificates
> The following motion has been proposed by Ryan Sleevi of Google, Inc 
> and endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to 
> introduce

Having endorsed this, I confess I was thinking more about the maximum certificate lifetime (which I do support as a target we need to get to, and soon) than about the lead time - which, by the time this ballot passes, will be about 2 months and a week. Given the level of ongoing engagement with the question, having agreed to endorse I was also a little surprised to see us enter the formal discussion period so soon.

In one sense, the argument that "this is just a change of a number in some certificate profiles" is right. In another sense, I accept that it does take time to adjust customer expectations, even if the different action required by said customer may be a year or more in the future.
While it might be argued CAs should have asked their customers about the potential impact of this change after previous discussions, it's not reasonable to suggest that they should have been preparing them for its enactment before any ballot was passed.

There are some ways a lifetime ballot might be constructed to ease this difficulty, some of which even keep a May date for this first step, but they are not in the realm of the sort of minor adjustment historically permitted to ballots during the formal discussion period.

I therefore request that the applicability date in this ballot be changed from 1st May 2017 to, at the earliest, 24th August 2017, 6 months after the ballot voting end date. 6 months has been floated before as a reasonable lead time for high-impact changes, so I hope this will remove that point of objection even for those who feel this change is high-impact.

As the voting period begins on Thu/Fri next week, I hope we can apply this change soon, and continue from there with a process of thoughtful listening and discussion on that basis.

Public mailing list
Public at cabforum.org

More information about the Public mailing list