[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

[Christian Heutger]

> Annual certificates do not require the use of automation. Certificates with lifespans of <= 13 months, as this ballot proposes, make up 94% of the existing valid certificate market.

Because of the amount of Let’s Encrypt certs, which you won’t see in the Top 100 etc. sites.

> You are correct that we did not explore it, because as noted in the ballot, revocation does not work for the Web, especially with respect to privacy. Any solution that relies on revocation is thus unacceptably broken.

OCSP doesn’t conflict with privacy.

> Thank you for sharing. Considering the hundreds of millions of sites which are exposed to harm, danger, and CA misissuance as a result of the long-lived lifetimes, and for which as Subscribers, they have no effective recourse, Google's position is that we put the user first. In this case, this means that the minority of sites and users - approximately 6% - may have to encounter annual replacement. However, the industry has shown that this does not require automation to do, as this is both the default for a number of CAs, and long wide-spread before the rise of automated mechanisms like RFC 8555. Automation simply improves things.

Automation adds additional threats. Other topics has been mentioned before many times.

> CAs that still think of certificate replacement as an "emergency" task are doing their users and customers a significant disservice and harm. Another objective, as noted, is to reinforce that this is not and cannot be the case.

Ask an IT service manager, he will tell you, that it is and from my point of view, it should be.

> Luckily, some CAs have recognized this, and in light of misissuance events have already taken steps - before this ballot was circulated or proposed - to reduce the lifetime of the certificates they issue to an annual basis. I can think of one CA, which primarily targets government and enterprise users, which recognized the challenges they and their customers had with timely replacement of certificates, and saw a reduction in lifetime as the most significant mitigation they could put in place.

Which CA do you mean?

> It is understandable for CAs, given their direct dealings with customers, to put their customers and business interests first, over the safety and security of the ecosystem and users. It can be difficult to articulate to them and their customers that the Web PKI is only as secure as its weakest link, and that they are directly harming many countless tens of millions of users and certificate holders that wish to have improved security. Similarly, it can be difficult to explain to these customers the importance of routine and regular certificate maintenance, as part of any cohesive infrastructure readiness or disaster preparedness scenario, as they may be relying on antiquated notions that certificate replacement is difficult. That's why it's incumbent upon us, the CA/Browser Forum, and in particular, the Browser Root Store operators who are tasked with ensuring the CAs in their program are trustworthy and the certificates issued by these CAs meaningfully secure users' connections, to lead and ensure that the minimum bar of security is adequate.

CA for sure are in interest of their customers, which involve, that they as well as customers won’t understand and accept solutions, which are not covering the primary problem but are workarounds, which doubt them unnecessary extra effort.

> I'm shocked and dismayed to see CAs advocating against any lifetime reduction, as it suggests outdated or incomplete understanding of the core business they're in. While I'm sympathetic to discussions about when best to make these changes, and have tried earnestly to highlight repeatedly why it requires no substantive process changes for any individual Subscribers before 2021, I would have hoped the years of discussion that clearly identified this was the end-goal would have prepared adequately.

Maybe they understand more of their business as acting with the customers directly meanwhile you are In your own bubble of understanding. As suggested before, there should be a neutral research on arguments, possible solutions and getting input on that from the customers and experts, e.g. in information security and it service management. It’s also a bit shocking, that e.g. you reject measurements like audits, which are in place for a reason. So maybe there should be external help required to have a common understanding of risks and controls to mitigate risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190826/0094f1bd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3860 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190826/0094f1bd/attachment-0001.bin>