[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Aug 27 22:19:53 MST 2019

On 27/8/2019 11:31 μ.μ., Tobias S. Josefowitz wrote:
> The security of a domain owner of a recently transferred domain cannot 
> be viewed separately from the security of relying parties, but in fact 
> while "fresh" domain owners are only threatened in actuality, relying 
> parties are threatened in potentiality, which makes this a weakest 
> link issue. That you would claim that relying parties would have zero 
> security gains from this surprises me. 

Just to clarify, the security risk when domains are transferred is 
limited to the remaining days of the previous certificate validity, as 
the BygoneSSL was able to demonstrate. If the previous owner tried to 
re-validate the Domain, it would fail thus the certificate would be 
ultimately revoked. This would have (according to HARICA's argument) 
effectively the same result as if the certificate expired sooner. I hope 
this makes it a bit more clear.


More information about the Servercert-wg mailing list