[cabfpub] Certificate lifetimes: end state or trajectory?

Phillip Hallam-Baker philliph at comodo.com
Fri Mar 3 16:14:40 UTC 2017


While it is possible that the manner in which the proposal was made was the
reason it was soundly rejected, I can't see it being likely that there will
be a near term change in sentiment. 

Going from 2 years to 1 or even 90 days makes no significant difference to
security in my view. The only way to make a significant difference is to
take the vulnerability window down to 3 days or less by requiring effective
revocation.

My goal is to eventually reduce the vulnerability window to 1 day for
ordinary revocation and 15 minutes for extraordinary revocation.

But even if we achieved that through short lived certs of 24 hours it would
still take three to five years to effect major changes in the Web
infrastructure. The Web is the largest and most complex machine that has
been or will ever be built by humans. And no single person or company is in
charge of it. 


Right now we have a situation where certain people are loudly asserting that
we can't do effective revocation because it requires X and simultaneously
asserting that we must make other measures that are less effective but also
require X.

If we want to develop a roadmap, we should put everything on the table and
perform a cost/benefit analysis. 

* The security benefits
* The impact on legacy browsers that can't be updated
* The latency impact on browser users
* The impact on site administrators

CAs and Browser providers naturally have different views on the last as site
administrators are our customers. So a proposal that requires hundreds of
thousands of site admins to spend hours or days implementing a change is a
major issue for CAs. 

Going to my customers with a statement 'we have decided you have to do this
work because we agreed to it' is probably not happening.

Going to my customers with a statement 'You have to do this work because
certain browser providers decided to make you' is a different statement. It
is also a statement that I have been making people who are much higher in
the management chains of certain companies aware would be their PR issue,
not ours.

Rather than coercing the site administrators and arguing over who is going
to be blamed for using the stick, I suggest we should try the carrot
approach.


What if the deal we offered site administrators was 'if you want the very
fastest site response, etc. then implement these measures.'

I think that would go down  a lot better.


-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Friday, March 3, 2017 4:15 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [cabfpub] Certificate lifetimes: end state or trajectory?

Following on from the discussion on the call, I think the Forum does need to
come to a conclusion on whether we are aiming to reduce certificate
lifetimes below 27 months in the next few years, or not.

I think it's fair to say that if the Forum passes a ballot on certificate
lifetimes _without_ a roadmap to 13 months (such as the current ballot 193),
then observers can reasonably assume that the Forum is unlikely to take
further steps on reducing lifetimes in the next few years. Because if we
were planning to do that, we would have set out our roadmap in the relevant
ballot in order to give everyone maximum time to prepare.

According to Ryan's summary, the following members voted No on ballot
185 giving the reason that "13 months is unacceptably short":

CA: DigiCert, Entrust, Izenpe, Quo Vadis, Actalis, Symantec, Trustwave,
CFCA, GDCA
Browser: Apple

It would be useful if those members could say whether 13 months would still
be unacceptably short if the date for introduction of the 13 month
requirement were something like 1st March 2019, 2 years from now.

If we can get consensus that this reduction is OK with a long enough lead
time, that might lead us to a ballot where the max. lifetime was reduced to
27 months on 1st March 2018, and 13 months on 1st March 2019, meaning that
by 1st May 2020, all unexpired certificates would be of lifetime 13 months
or fewer.

If members feel that even with 2 years lead time, this reduction is still
unacceptable, we should pass ballot 193 or something like it, thereby
indicating to the world that we have no plans for further reductions in a
CAB Forum context.

Gerv


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list