[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Mon Sep 2 16:16:08 MST 2019

Entrust Datacard votes no on Ballot SC22.  Here are our reasons.

1. This ballot was proposed or endorsed by three browsers – Google, Mozilla, and Apple – and by one CA, Let’s Encrypt.  It was written to address certain hypothetical security issues, but no comprehensive security analysis was provided to demonstrate the value of these changes to the community as a whole.

2. Three Forum members polled their customers (the website owners/Subscribers) about the ballot – and the response to the ballot was overwhelmingly negative.

DigiCert: 81% of responding customers oppose the ballot.  70% use no automation for certificate replacement, 13% are “mostly no” on use of automation.  Median company size: 2,800+ employees.  Number of respondents: 545.
https://cabforum.org/pipermail/servercert-wg/2019-August/000900.html (basic results)
https://cabforum.org/pipermail/servercert-wg/2019-August/000942.html (related customer comments)

Entrust Datacard: 83% of responding customers oppose the ballot.  75% use no automation for certificate replacement.  Median company size: 7,000+ employees.  Number of respondents: 573.  350 more responses came in after we published the initial survey – the results were consistent
https://cabforum.org/pipermail/servercert-wg/2019-August/000936.html
GoDaddy: 82% of responding customers oppose the ballot.  Only 26% of respondents use automation or “some automation” for their certificate replacement.  This survey focused on GoDaddy’s customer base, the small business. Number of respondents: 2,732.
https://cabforum.org/pipermail/servercert-wg/2019-August/000991.html

In total, 3,850 organizations responded to these surveys, and 82% are opposed to the ballot.  This is important data that should be considered by those who are proposing this ballot.

DigiCert and Entrust Datacard also published hundreds of comments received with the survey.  As you see in the links above, many website owners are upset at the browsers who are promoting this ballot.  Unfortunately, the comments in opposition were dismissed and even ridiculed on the Server Certificate Working Group list.  Some website owners oppose automation of certificate replacement on a security basis, while others pointed out that automation is simply not possible in certain environments.  These are IT security experts for major enterprises, and their views should be carefully considered, not dismissed.

We want to propose a better approach for this issue – to create a special ad hoc committee of browsers, CAs, website owners, and others to develop metrics by consensus on if and when certificate validity and data reuse periods should be shortened.  The Forum should listen to all voices and welcome outside expertise on such an important and highly controversial issue as this.

For these reasons, we are voting no, and we urge other CAs and the browsers also to vote no and to work together in developing a better approach to addressing this issue.

Thanks,

Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190902/69c47145/attachment.html>