[cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

Dean Coclin Dean_Coclin at symantec.com
Thu Feb 16 22:26:13 UTC 2017

I know that many CAs are working to get this “concrete, actionable data”. I can say that most people we’ve talked to are completely surprised by this (even those following the forum threads), especially the implementation time, and are trying to assess the overall impact to their workflows.

By the same token, it would be helpful to hear any concrete actionable data that has suddenly made this a pressing need to quickly implement vis-à-vis other ecosystem security improvements. For example, is this considered a higher priority than say, CAA? Why/why not?

I know we are coming to the end of the discussion period but I hope we can continue to have a constructive dialog.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Wednesday, February 15, 2017 8:59 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>
Cc: Dean Coclin <Dean_Coclin at symantec.com>
Subject: Re: [cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

On Wed, Feb 15, 2017 at 5:54 PM, Dean Coclin via Public <public at cabforum.org<mailto:public at cabforum.org>> wrote:
This is still a relatively short implementation time for the change being considered, especially given product roadmaps handling other high impact items (i.e. CT) in the same time window.

As always, it's useful to specifically identify what challenges this presents, to better inform the debate. Given that CAs routinely say "it's a short implementation timeline" - and this is six months for an existing, well-supported part of the WebPKI (as opposed to new features, such as improved validation methods, CT, or CAA) - and browsers are routinely used to shipping things on the order of O(days) - having concrete, actionable data helps ensure forward progress is made.

But thanks for showing some flexibility and I'm hopeful a F2F discussion will allow all parties to come to consensus.

To reiterate: This is flexibility as to what the Baseline Requirements require, with the acknowledgement that absent concrete data, it may be appropriate and necessary to go above and beyond what the Baseline Requirements require to ensure specific security needs are met. This is similar to, for example, requiring the use of Certificate Transparency to ensure an EV certificate is recognized as such in some browsers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170216/f38fbe12/attachment-0003.html>

More information about the Public mailing list