<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Tuesday, November 18, 2014 9:37 AM<br></span><br><b><i><span style='color:#1F497D'>[RWS] </span></i></b><span style='color:#1F497D'><snip></span><o:p></o:p></p><p>So would you support limiting the BRs to 27 months in order to harmonize? Or to 15 months across the board?<o:p></o:p></p><p><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] I suspect that is a harder sell amongst the CAs than 39 month EVs are to you. Not speaking for Comodo for a moment, just for myself, I won't say that I'm absolutely opposed to it, but I do think it's overkill. Frankly I think, now that we've agreed on a 39 month max across the industry, certificate lifetime is not the bottleneck when it comes to rolling out major enhancements to TLS. Given that any major shift in TLS requires not just the CAs, but also the CLIENTS and, SERVERS to support it, I seriously doubt the ability to roll out any major upgrade in under 39 months regardless of the max lifetime of certificates. Frankly changing the CA policies is the easy part. Any major change needs virtually all clients and servers to support it to avoid breaking the internet. We've seen how difficult that is with SHA-2. It was never the CAs holding back SHA-2 adoption. It was always, and still is, though we've chosen now to write off the stragglers, client and server support. CAs would have been happy to issue SHA-2 the moment the algorithm was available, but there wouldn't have been much point with no support from client and server software. 10 years on and we are still effectively breaking compatibility with a significant number of clients by rolling it out now.<o:p></o:p></span></i></b></p><p><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rich</span></i></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p>> > -----Original Message-----<br>> > From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>]<br>> > On Behalf Of Gervase Markham<br>> > Sent: Tuesday, November 18, 2014 4:21 AM<br>> > To: Ryan Sleevi; "Richard@WoSignrichard"@<a href="http://wosign.com">wosign.com</a><br>> > Cc: Dean Coclin (<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>); CABFPub<br>> > Subject: Re: [cabfpub] about EV period for Gov<br>> ><br>> > On 18/11/14 06:45, Ryan Sleevi wrote:<br>> > > The limitations of date do not just apply to vetting information, but<br>> > > to providing an orderly and efficient window for making improvements<br>> > > and deprecating insecure practices.<br>> ><br>> > I think this is the key point here. Certs have a limited life so that<br>> > we can make sure that all certs get security and process improvements<br>> > in a reasonable timeframe. As Ryan says, 3 years is still a long time<br>> > and it would be nice if it was shorter, but 5 years is way, way too<br>> > long.<br>> ><br>> > If the government were willing to say "OK, if you give us a 5 years<br>> > cert, we understand that you may tell us to revoke it and replace it at<br>> > any time and we are cool with that", that might be OK - but if that's<br>> > true, why can't they just have a 3-year cert?<br>> ><br>> > Gerv<br>> > _______________________________________________<br>> > Public mailing list<br>> > <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>> > <a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></body></html>