[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Curt Spann cspann at apple.com
Fri Aug 30 16:00:16 MST 2019


We have been very carefully reading the feedback on this thread and the survey results regarding this ballot. We especially appreciate the care that DigiCert, Entrust and GoDaddy have taken to ensure that the voices of the TLS server operators are reflected in our discussion of major changes to the ecosystem.

Reading those responses has made it clear to us that, despite many recent large-scale incidents, the ecosystem generally and server operators particularly have not developed the necessary agility nor appetite to correct major security issues in a timely manner without incurring significant cost to Apple's users (in terms of large-scale revocation list fetches, privacy compromises, and delayed or failed connections).

We strongly support this ballot as a means to address this issue in addition to gaining the many other benefits that Ryan Sleevi and others have detailed on this thread.

While we one day hope to see widespread automation and further lifetime reductions, the feedback here has made it clear that this goal may be a few years away. In our view, one year lifetimes balance the security needs of our users with the needs of server operators unable or unwilling to adopt automation.


> On Aug 30, 2019, at 2:56 PM, Joanna Fox via Servercert-wg <servercert-wg at cabforum.org> wrote:
> Hello all,
> GoDaddy also sent a survey to our SSL customers on the topic of reduced lifetime certificates. Our survey focused on our customer base, the small business.  Total response size was 2732.  We have omitted customer comments as there were too many to review for personal data prior to posting. 
> The biggest takeaway from this was a clear need to be able to effectively communicate with Subscribers why this change is occurring and what we can do to help them overcome any obstacles that may arise due to the increased manual labor that is expected due to this change.  If certificate lifetime becomes reduced, I would ask to partner with the browsers to develop some clear, simple statements that all CA’s can use to help communicate the benefits of this change to our ecosystem.
> Thank you,
> Joanna Fox
> Survey Questions:
> Q1: Which of the following best describes the industry to which your company belongs? (Select one.)
> <image001.png>
> Q2: Which title best describes your position at your organization? (Select one.)
> <image002.png>
> Q3:  Which of the following most closely describes your job function in IT? (Select one)
> <image003.png>
> Q4: How often do you replace your SSL/TLS certificates today?
> <image004.png>
> Q5: Does your organization currently use automated certificate renewal and replacement methods (e.g., Venafi, ACME, DevOps orchestration)
> <image005.png>
> Q6: The CA/Browser Forum is voting on a ballot reducing the maximum validity period for SSL/TLS certificates from the current 825 days (27 months) to 397 days (13 months), effective for new certificates issued on or after March 1, 2020. Would you vote in favor or against this?
> <image006.png>
> Q7: If this ballot is approved, how would this impact your organization?
> <image007.png>
> Q8: If this ballot is approved, which of these options would help your company adjust to this change?
> <image008.png>
> Q9: Under the proposed ballot, an organization and its domains would have to be revalidated every year instead of every two years.  Do you believe this provides added security by revalidating this information every year?
> <image009.png>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190830/a83ec4c5/attachment.html>

More information about the Servercert-wg mailing list