<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://8339/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">We are agree with the idea to reduce certificate lifetime as soon as possible.<div><br></div><div> <br><div apple-content-edited="true">
<span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">Best regards, <br><br>Eneli Kirme<br>Certification Centre/AS Sertifitseerimiskeskus<br></span></div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><br></span></div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><br></span></div><div><div>On 29.11.2013, at 10:41, Ryan Hurst <<a href="mailto:ryan.hurst@globalsign.com">ryan.hurst@globalsign.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">We agree with Jeremy.</span></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></p><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(225, 225, 225); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="color: windowtext; ">From:</span></b><span style="color: windowtext; "><span class="Apple-converted-space"> </span><a href="mailto:public-bounces@cabforum.org" style="color: purple; text-decoration: underline; ">public-bounces@cabforum.org</a><span class="Apple-converted-space"> </span>[mailto:<a href="mailto:public-bounces@cabforum.org" style="color: purple; text-decoration: underline; ">public-bounces@cabforum.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Jeremy Rowley<br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, November 29, 2013 12:35 AM<br><b>To:</b><span class="Apple-converted-space"> </span>'CABFPub'<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable</span></div></div></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> </p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">60 month certs have limited the Forum’s ability to create improvements ever since we starting discussing the BRs, and practically every significant change we make includes a discussion about what do to accommodate long-lived certs. Several the results of these discussions, and barrier to change, are evident in the BRs themselves (issuance from a root, the internal server name deprecation date, etc). By eliminating long lived certs, the Forum eliminates one of the major obstacles in improving the industry, permitting the Forum to become the primary proponent for improvements instead of the browsers (ie, instead of Microsoft announcing that SHA2 is required for all certs three years from now, the Forum could have passed a BR requirement to the same effect).</span></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">Plus, the code signing working group focuses heavily on private key protection. During the discussions, the group estimated that 50% of the problem certificates resulted from stolen or compromised private keys. I imagine the problem is just as bad for SSL. Add on top of that the fact that five-year old information is extremely stale and has likely changed. </span></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">Jeremy </span></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></p><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: windowtext; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: windowtext; "><span class="Apple-converted-space"> </span><a href="mailto:public-bounces@cabforum.org" style="color: purple; text-decoration: underline; ">public-bounces@cabforum.org</a><span class="Apple-converted-space"> </span>[<a href="mailto:public-bounces@cabforum.org" style="color: purple; text-decoration: underline; ">mailto:public-bounces@cabforum.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b><a href="mailto:kirk_hall@trendmicro.com" style="color: purple; text-decoration: underline; ">kirk_hall@trendmicro.com</a><br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, November 28, 2013 7:07 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Eddy Nigg (StartCom Ltd.); CABFPub<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable</span></div></div></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> </p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: windowtext; ">Well, so far the existence of 60 month certs has not stopped the browsers from imposing new requirements on CAs and certificates that have an immediate effect on all certs (60 month and 39 month certs alike) – some browsers have even taken the position that new rules in the BRs adopted in July 2012 and made effective in February 2013 would apply *<b>retroactively</b>* to certs issued *<b>before</b>* those dates. </span></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: windowtext; "> </span></p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: windowtext; ">So I don’t really think it’s true that the existence of 60 month certs issued by some CAs has ever limited changes made by the Forum, or their effective dates. Has it?</span></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></p><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: windowtext; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: windowtext; "><span class="Apple-converted-space"> </span><a href="mailto:public-bounces@cabforum.org" style="color: purple; text-decoration: underline; ">public-bounces@cabforum.org</a><span class="Apple-converted-space"> </span>[<a href="mailto:public-bounces@cabforum.org" style="color: purple; text-decoration: underline; ">mailto:public-bounces@cabforum.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Eddy Nigg (StartCom Ltd.)<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, November 28, 2013 3:22 PM<br><b>To:</b><span class="Apple-converted-space"> </span>CABFPub<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable</span></div></div></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> </p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><br>On 11/28/2013 10:53 PM, From<span class="Apple-converted-space"> </span><a href="mailto:kirk_hall@trendmicro.com:" style="color: purple; text-decoration: underline; ">kirk_hall@trendmicro.com:</a></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">Are there any known security breaches from past-issued 60 month certs (such as someone stealing the private key plus using the cert beyond a 39 month expiration period, someone selling an old server that had a private key plus 60-month cert on it, change of corporate identity during a five-year period that rendered a properly-issued 60-month cert inaccurate, but the cert was still used, etc.)? Or is the concern more theoretical?</span></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><br>Kirk, if you read the responses from Bruce and Dean (and maybe some others) you understand that every time a change needs to be introduced you'll get opposition from exactly those CAs that issue long-living certificates. We all understand that CAs want to nail a customer for as long as possible and make a difference by issuing certificates for long periods of time (irresponsible) because others won't do that - but since this requirement would be applied across the board I believe there will be no competitive disadvantage to any of them.<br><br>However the entire industry will improve once changes can be pushed through within ~ 3 years than currently 5 and previously 10. Being able to act faster and get rid of possible problematic certificates within the time-frame of 3 years without the need of revocation (which would result in a another outcry anyway) is probably a worthy goal. With the current upcoming changes it appears to be a golden opportunity to achieve that.</span></p><div><table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0"><tbody><tr><td colspan="2" style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">Regards </span></div></td></tr><tr><td colspan="2" style="padding: 0in; "><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "> </span></p></td></tr><tr><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">Signer: </span></div></td><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">Eddy Nigg, COO/CTO</span></div></td></tr><tr><td style="padding: 0in; "><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "> </span></p></td><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><a href="http://www.startcom.org" style="color: purple; text-decoration: underline; ">StartCom Ltd.</a></span></div></td></tr><tr><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">XMPP: </span></div></td><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><a href="xmpp:startcom@startcom.org" style="color: purple; text-decoration: underline; ">startcom@startcom.org</a></span></div></td></tr><tr><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">Blog: </span></div></td><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><a href="http://blog.startcom.org" style="color: purple; text-decoration: underline; ">Join the Revolution!</a></span></div></td></tr><tr><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; ">Twitter: </span></div></td><td style="padding: 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "><a href="http://twitter.com/eddy_nigg" style="color: purple; text-decoration: underline; ">Follow Me</a></span></div></td></tr><tr><td colspan="2" style="padding: 0in; "><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "> </span></p></td></tr></tbody></table></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; "> </span></p><table class="MsoNormalTable" border="0" cellspacing="3" cellpadding="0"><tbody><tr><td style="background-color: white; padding: 0.75pt; background-position: initial initial; background-repeat: initial initial; "><table class="MsoNormalTable" border="0" cellspacing="3" cellpadding="0"><tbody><tr><td style="padding: 0.75pt; "><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "> </pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">TREND MICRO EMAIL NOTICE</pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">The information contained in this email and any attachments is confidential </pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">and may be subject to copyright or other intellectual property protection. </pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">If you are not the intended recipient, you are not authorized to use or </pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">disclose this information, and we request that you notify us by reply mail or</pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">telephone and delete the original message from your mail system.</pre></td></tr></tbody></table></td></tr></tbody></table><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 12pt; font-family: 'Times New Roman', serif; color: windowtext; "> </span></p></div><span><smime.p7s></span>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" style="color: purple; text-decoration: underline; ">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" style="color: purple; text-decoration: underline; ">https://cabforum.org/mailman/listinfo/public</a></div></blockquote></div><br></div></body></html>