[cabfpub] Reply: Ballot 185 (Revised) - Limiting the Lifetime of Certificates

Thu Feb 23 19:03:31 UTC 2017

Chunghwa Telecom votes Abstain.

     Li-Chun Chen

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: 13 February 2017 19:18
To: CABFPub <public at cabforum.org>
Cc: Ryan Sleevi <sleevi at google.com>
Subject: [cabfpub] Ballot 185 (Revised) - Limiting the Lifetime of Certificates

Pursuant to the consensus on https://cabforum.org/pipermail/public/2017-February/009530.html about the nature of changes during the discussion period, and the request from Gervase on https://cabforum.org/pipermail/public/2017-February/009618.html to adjust what represents the Baseline agreement, this adjusts the effective date from 1 April to 24 August. While individual programs may choose to enact or enforce requirements prior to that, as the Baseline Requirements capture the effective point of common agreement of the bare minimum security levels, it seems appropriate that this Ballot accurately reflect that.

Ballot 185 - Limiting the Lifetime of Certificates

The following motion has been proposed by Ryan Sleevi of Google, Inc and endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to introduce new Final Maintenance Guidelines for the "Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates" and the "Guidelines for the Issuance and Management of Extended Validation Certificates"

-- MOTION BEGINS --

Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates" as follows:

Replace Section 6.3.2, which reads as follows:

"""

6.3.2. Certificate Operational Periods and Key Pair Usage Periods

Subscriber Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months. 

Except as provided for below, Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period 

no greater than 39 months. 

Until 30 June 2016, CAs MAY continue to issue Subscriber Certificates with a Validity Period greater than 39 

months but not greater than 60 months provided that the CA documents that the Certificate is for a system or 

software that:   

(a) was in use prior to the Effective Date;  

(b) is currently in use by either the Applicant or a substantial number of Relying Parties;  

(c) fails to operate if the Validity Period is shorter than 60 months; 

(d) does not contain known security risks to Relying Parties; and  

(e) is difficult to patch or replace without substantial economic outlay

"""

with the following text:

"""

6.3.2. Certificate Operational Periods and Key Pair Usage Periods

Subscriber Certificates issued on or after 24 August 2017 MUST NOT have a Validity Period greater than three hundred and ninety-eight (398) days.

Subscriber Certificates issued prior to 24 August 2017 MUST NOT have a Validity Period greater than thirty-nine (39) months.

"""

Modify Section 9.4 of the "Guidelines for the Issuance and Management of Extended Validation Certificates" as follows:

Replace Section 9.4, which reads as follows:

"""

9.4. Maximum Validity Period For EV Certificate

The validity period for an EV Certificate SHALL NOT exceed twenty seven months. It is RECOMMENDED that EV

Subscriber Certificates have a maximum validity period of twelve months.

"""

with the following text:

""""

9.4 Maximum Validity Period for EV Certificate

EV Certificates issued on or after 24 August 2017 MUST NOT have a Validity Period greater than three hundred and ninety-eight (398) days.

EV Certificates issued prior to 24 August 2017 MUST NOT have a Validity Period greater than twenty seven (27) months.

"""

-- MOTION ENDS --

Ballot 185 - Limiting the Lifetime of Certificates

Status: Final Maintenance Guideline

Review Period:

Start Time: 2017-02-10 00:00:00 UTC

End Time: 2017-02-17 00:00:00 UTC

Vote for Approval:

Start Time: 2017-02-17 00:00:00 UTC

End Time: 2017-02-24 00:00:00 UTC

Votes must be cast by posting an on-list reply to this thread on the Public Mail List.

A vote in favor of the ballot must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting Member before the close of the voting period will be counted. Voting Members are listed here: https://cabforum.org/members/

In order for the ballot to be adopted, two thirds or more of the votes cast by Members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor.

本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件. 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,以共同善盡資訊安全與個資保護責任. 
Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited. Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.