<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 12px; font-family: Arial, sans-serif; "><div><div>Hi all,</div><div><br></div><div>I agree with Rob in that there's still confusion when we look back so can we look forward? </div><div><br></div><div>The reason I say this is that we've had similar discussions on effective dates within the Ballot 107 thread around auditors understanding of effectiveness dates. As I stated in that thread, my understanding on effective dates has always been the same in that the effective date is on a per CA basis and 100% governed by the date the CA places a statement into their CPS (or modifies it to take account of changes needed for specific rules such as not supporting MITM etc) which is then later audited by their relevant ETSI or WebTrust auditor potentially 12 months afterwards. In the case of the Baseline Requirements there is a requirement for a specific statement and specific OIDs but for most root programs there's no requirement to add any compliancy statement. Critical dates for compliancy by root programs are mandated by the root programs themselves in sideline agreements/discussions. </div><div><br></div><div>The 1st July 2012 effective date was not "mandatory" across the industry and as such it may not have even been on the radar of all CAs (I'm thinking smaller here) in all jurisdictions. It would not therefore be fair to suggest that it was and backdate decisions that may well negatively impact the industry at large when web sites start failing. The idea behind the Baseline Requirements was a carrot to incentivise, through market competition, a way to improve the industry as a whole and not as a stick. Each root program owner has their own stick(s) already. I don't believe that there's a list of Baseline Requirements compliant CAs anywhere (See <a href="http://www.mozilla.org/projects/security/certs/included/index.html">http://www.mozilla.org/projects/security/certs/included/index.html</a> and you'll notice many CAs are missing audit reports for BR compliance).</div><div><br></div><div>In the end we are (were ;-) ) a consensus led group which leads me to ask myself what date does make sense for all rules to be applicable? The 31st December 2013 seems a great point in time due to the 1024/2048 bit RSA requirements in many peoples minds so is it possible to suggest to all root programs that they mandate a simple e-mail out to participants mandating full BR compliance by this date? As an example Mozilla would be able to complete their spreadsheet by then and Google would be able to turn on validity checking for anything issued from 1st Jan 2014 rather than 18 months earlier. This allows CAs to ensure that any re-issuance logic around the 60/39 month step-down in April 2015 will be effective and that subscribers can be warned of this logic change up front in a subscriber agreement. </div><div><br></div><div>Maybe it's a discussion for the CABForum F2F in a few weeks or on the call tomorrow night and I hope my points make sense as I really do believe looking forward is best and not backwards. </div><div><br></div><div><p style="margin: 0px; font-size: 10px; font-family: Arial; "></p><p style="margin: 0px; ">Steve</p><p style="margin: 0px; "><br></p></div></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Eddy Nigg <<a href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>><br><span style="font-weight:bold">Organization: </span> StartCom Ltd.<br><span style="font-weight:bold">Date: </span> Tuesday, 3 September 2013 23:58<br><span style="font-weight:bold">To: </span> CABFPub <<a href="mailto:public@cabforum.org">public@cabforum.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [cabfpub] Deprecating support for long-lived certificates<br></div><div><br></div><div>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<br>
On 09/02/2013 01:48 PM, From Rob Stradling:
<blockquote cite="mid:52246D04.1090808@comodo.com" type="cite">
<pre wrap="">The BRs "Effective Date" was July 1st 2012, but I've never been sure
what exactly came into effect on that date, given the "not
mandatory...until...adopted and enforced" sentence I quoted previously!
</pre>
</blockquote>
<br>
So what did you do in your case? Or what did you do to clarify it?
I'm sure you must have had some thoughts and decisions...<br>
<br>
I'd say that the effective date is as per BR - it was already clear
before that software vendors will adopt it, in particular Mozilla
which was heavily involved during the discussions.<br>
<br>
<br>
<div class="moz-signature">
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</div></div>
_______________________________________________
Public mailing list
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</span></body></html>