[cabfpub] Ballot 193 - 825-day Certificate Lifetimes

Ryan Sleevi sleevi at google.com
Wed Mar 1 22:24:14 UTC 2017


While I'm encouraged to see that CAs are beginning to recognize the shorter
lived certificates, I'm concerned that this introduces significantly more
changes than discussed during any Forum discussion over the past several
years.

I'd like to encourage the proposers to thoughtfully consider whether this
is either necessary or desirable, as there are clear problems with this
proposal.

On Wed, Mar 1, 2017 at 2:14 PM, Chris Bailey via Public <public at cabforum.org
> wrote:

> Section 6.3.2 limits the validity period of Subscriber Certificates. The
> CA MAY use the documents and data provided in Section 3.2 to verify
> certificate information, provided that *(i)* the CA obtained the data or
> document from a source specified under Section 3.2 no more than *825 days
> **thirty‐nine (39) months* prior to issuing the Certificate*; and (ii)
> the method used to obtain the document or data was acceptable under Section
> 3.2 at the time the document or data was obtained*.
>

>
> *A CA may rely on a previously verified certificate request to issue a
> replacement certificate, so long as the certificate being referenced was
> not revoked due to fraud or other illegal conduct, if:*
>


> *(1) The expiration date of the replacement certificate is the same as the
> expiration date of the Certificate that is being replaced, and*
>
> *(2) The Subject Information of the Certificate is the same as the Subject
> in the Certificate that is being replaced.*
>
>
>
> *If an Applicant has a currently valid Certificate issued by the CA, a CA
> MAY rely on its prior authentication and verification of the Applicant's
> right to use the specified Domain Name under Section 3.2.2.4, provided that
> the CA verifies that the WHOIS record still shows the same registrant as
> when the CA verified the specified Domain Name for the existing
> Certificate.*
>

Can you explain why you believe this change is necessary or critical? It
represents a significant departure from best practice, in a way that will
undermine security of the ecosystem.

Our position with respect to Draft Ballot 186 should hopefully make it
clear that any attempt to extend the reuse of stale information, a very
real and pressing security problem, makes such an approach problematic.


> Subscriber Certificates issued after *March 1, 2018 **the Effective Date*
> MUST have a Validity Period no greater than *825 days **60 months*.  *Subscriber
> Certificates issued after 1 April 2015 but prior to 1 March 2018 MUST NOT
> have a Validity Period greater than thirty-nine (39) months.*
>

It's unnecessary to state "after 1 April 2015". Given that the Baseline
Requirements are effective at time of issuance, this is a redundancy that
may impinge on clarity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170301/b1709a75/attachment-0003.html>


More information about the Public mailing list