[cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Thu Feb 16 01:59:27 UTC 2017

On Wed, Feb 15, 2017 at 5:54 PM, Dean Coclin via Public <public at cabforum.org
> wrote:

> This is still a relatively short implementation time for the change being
> considered, especially given product roadmaps handling other high impact
> items (i.e. CT) in the same time window.

As always, it's useful to specifically identify what challenges this
presents, to better inform the debate. Given that CAs routinely say "it's a
short implementation timeline" - and this is six months for an existing,
well-supported part of the WebPKI (as opposed to new features, such as
improved validation methods, CT, or CAA) - and browsers are routinely used
to shipping things on the order of O(days) - having concrete, actionable
data helps ensure forward progress is made.

> But thanks for showing some flexibility and I'm hopeful a F2F discussion
> will allow all parties to come to consensus.

To reiterate: This is flexibility as to what the Baseline Requirements
require, with the acknowledgement that absent concrete data, it may be
appropriate and necessary to go above and beyond what the Baseline
Requirements require to ensure specific security needs are met. This is
similar to, for example, requiring the use of Certificate Transparency to
ensure an EV certificate is recognized as such in some browsers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170215/9e5c5829/attachment-0003.html>

More information about the Public mailing list