<p dir="ltr"><br>
On Nov 18, 2014 7:26 AM, "Rich Smith" <<a href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>> wrote:<br>
><br>
> Gerv and Ryan,<br>
> I agree with both your reasoning as to 5 year certs, but I think you've both<br>
> also mis-understood Richard's request. He is asking that EVs be allowed for<br>
> 39 months, not 60, for government sites. </p>
<p dir="ltr">No, I understood perfectly well. The point was that 60 months (current BRs) is too long, and the 39 months was a compromise with CAs, but not one that reflects a good security posture. That it takes 3 years to roll out changes is hardly a feature.</p>
<p dir="ltr">> I'm against that proposal, but<br>
> only because I don't think it's wise to carve out a special rule just for<br>
> one type of client. I would like to suggest however, that now that we have<br>
> agreed to a max 39 months for TLS certs in the BR, how about we allow EVs<br>
> for 39 months along with DV and OV certs. Given the extra vetting that goes<br>
> into EV, I don't think this would create any additional threat than allowing<br>
> DV/OV for 39 months, in fact I think allowing 39 for EV is probably less<br>
> problematic from a vetting point of view, and doesn't change your points<br>
> about rolling out security enhancements significantly given that DV/OV still<br>
> represent the majority of certificates issued.<br>
></p>
<p dir="ltr">I suspect we will disagree on this point. Rather than weaken the EVs because the BRs are weak, why not strengthen the BRs and limit them to 27 months as well?</p>
<p dir="ltr">> I don't really have strong feelings about this proposal either way, but I<br>
> think it would make things easier on all parties involved if we settled on a<br>
> single max lifetime for all TLS certificates at this point. 27 months was<br>
> chosen for EV years before this group even conceived of the BRs and was<br>
> chosen partially at least because there was no limit on the lifetime of<br>
> certificates at all at the time, and it was rather arbitrary. We've now<br>
> settled on 39 months as a max lifetime for TLS certs, and even if you think<br>
> that should be shortened further, should that debate come up, I think it<br>
> would be better if the debate encompassed all TLS certs rather than<br>
> continuing to have to debate two separate, arbitrary time frames.<br>
><br>
> -Rich<br>
></p>
<p dir="ltr">So would you support limiting the BRs to 27 months in order to harmonize? Or to 15 months across the board?</p>
<p dir="ltr">> > -----Original Message-----<br>
> > From: <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>]<br>
> > On Behalf Of Gervase Markham<br>
> > Sent: Tuesday, November 18, 2014 4:21 AM<br>
> > To: Ryan Sleevi; "Richard@WoSignrichard"@<a href="http://wosign.com">wosign.com</a><br>
> > Cc: Dean Coclin (<a href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>); CABFPub<br>
> > Subject: Re: [cabfpub] about EV period for Gov<br>
> ><br>
> > On 18/11/14 06:45, Ryan Sleevi wrote:<br>
> > > The limitations of date do not just apply to vetting information, but<br>
> > > to providing an orderly and efficient window for making improvements<br>
> > > and deprecating insecure practices.<br>
> ><br>
> > I think this is the key point here. Certs have a limited life so that<br>
> > we can make sure that all certs get security and process improvements<br>
> > in a reasonable timeframe. As Ryan says, 3 years is still a long time<br>
> > and it would be nice if it was shorter, but 5 years is way, way too<br>
> > long.<br>
> ><br>
> > If the government were willing to say "OK, if you give us a 5 years<br>
> > cert, we understand that you may tell us to revoke it and replace it at<br>
> > any time and we are cool with that", that might be OK - but if that's<br>
> > true, why can't they just have a 3-year cert?<br>
> ><br>
> > Gerv<br>
> > _______________________________________________<br>
> > Public mailing list<br>
> > <a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
> > <a href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><br>
</p>