<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 19, 2015 at 3:33 PM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal">Per the call today and discussion during the face-to-face, I’d like to start a public discussion on doing one of two things. Either:<u></u><u></u></p>
<p><u></u><span>1)<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span><u></u>Extending EV certificates to a 39 month validity period or<u></u><u></u></p>
<p><u></u><span>2)<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span><u></u>Reducing the validity period of all certificates to 24 months.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Personally, I like the idea of a maximum lifecycle of 24 months. The lower validity period ensures CAB Forum and industry changes take less time to implement (fewer MD5/SHA1 situations), and we encourage more frequent rekeying and validation.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">On the other hand, we are only about to lower the maximum to 39 months. Considering the opposition to the 39 month limit, I expect getting a consensus will be very difficult. Also, server operators with a medium amount of certs might be
significantly hurt since they would be doing cert changes more regularly and, unlike many large organizations, might not have automated processes.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Therefore extending EV to 39 months might be more reasonable. Extending EV to 39 months will help promote EV adoption and put EV on equal footing with OV/DV. Of course, this would extend the validation time by a year. One way to deal
with this extra time is adopt the Mozilla approach and require revalidation every X months (where X is mostly likely 13). If the validation fails, the cert would be revoked. I’m not a big fan of this revalidation approach since there’s no affirmative act
that signals the revalidation occurred (such as issuance) and there’s a strong incentive to simply let the cert stand. Plus, it’ll require some reworking for many CAs to ensure validation is tied to a timeframe (13 months) instead of an event (issuance). Although
revalidation will be covered in the audits, we might just recognize that the validation will only happen every 39 months and go with that.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thoughts?<span class=""><font color="#888888"><u></u><u></u></font></span></p><span class=""><font color="#888888">
<p class="MsoNormal">Jeremy</p></font></span></div></div></blockquote><div><br></div><div>Thanks for circling this again.</div><div><br></div><div>As mentioned during the F2F, we're supportive of 24/27 months, but not of extending EV to 39 months.</div><div><br></div><div>I understand the desire to make EV "appealing" - but as I've noted elsewhere, this doesn't inherently mean a security improvement. Indeed, I'd argue that the current EV lifetime is one of the few things where EV <b>is</b> a security improvement over DV/OV and thus potentially deserving of it's special UI status. Other bits include in Chrome the requirement for Certificate Transparency disclosure and may include minimum TLS and ciphersuite requirements or OCSP stapling. [1]</div><div><br></div><div>The argument for putting EV on equal footing with OV/DV doesn't really hold sway. I don't think Browsers are particularly keen to make a product offering more marketable, nor is it an intrinsic argument against a requirement that "Customer's may not want this product line", which is why the value of 39 months for EV is not clear.</div><div><br></div><div>So a HUGE +1 towards 24 months for DV/OV</div><div>And a HUGE -1 towards 39 months for EV.</div><div><br></div><div>I would say that even if 39 months for EV were to pass, unless there was significant evidence to suggest and demonstrate how doing so would improve security in tangible ways (beyond making a piece of UI appear), it's likely that Chrome would not grant such UI. I'm not trying to say this to shut down the discussion - but to emphasize how important it is that we think there's an extremely high bar for such a relaxation.</div><div><br></div><div>[1] <a href="https://groups.google.com/a/chromium.org/d/msg/security-dev/jmbbIgmGbdk/xU8pR8fxYOYJ">https://groups.google.com/a/chromium.org/d/msg/security-dev/jmbbIgmGbdk/xU8pR8fxYOYJ</a></div></div><br></div></div>