<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 3/30/2016 3:04 PM, Jeremy Rowley
wrote:<br>
</div>
<blockquote
cite="mid:1d1e3b8d1aaf430091434ab2be6235dd@EX2.corp.digicert.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1242446652;
mso-list-type:hybrid;
mso-list-template-ids:1481123614 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Rich –
comments are in-line<o:p></o:p></span></p>
<p class="MsoNormal"><a moz-do-not-send="true"
name="_MailEndCompose"><span style="color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> <a class="moz-txt-link-abbreviated" href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a class="moz-txt-link-freetext" href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Rich
Smith<br>
<b>Sent:</b> Wednesday, March 30, 2016 10:32 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:public@cabforum.org">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Certificate validity
periods<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Jeremy,<br>
I'm not sure Comodo would support any change at this point,
but if we were to change I'd like to propose, let's call it
1c;<br>
Set all max validity to 27 months; Require re-validation for
all at 27 months.<br>
<span style="color:#1F497D">{JR} I’d be okay with that. In
fact, I like the proposal. <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I'm against your proposal of 1a for the same reasons I don't
like 27/13 for EV It puts us in position of having to redo
validation of a replacement request by the customer. In this
case, the customer would get the DV or OV for 27 months, be
able to replace at will, renew the cert for an additional 27
months, but be subject to revalidatiion half way through the
2nd when trying to get a replacement/re-issuance. This is bad
enough with EV already, and I'm very much against extending it
to OV/DV. If we can't find a reasonable path to match up the
re-validation requirement with max validity then I'm against
making any changes.<br>
<span style="color:#1F497D">{JR} 1a was the opposite. It was
have validation good for 39 months and just require
reissuance of the cert every 2 years. </span></p>
</div>
</blockquote>
[RWS] I got that, but it still puts the limit on previous
verification into the middle of a term of certificate validity so it
amounts to the same problem we have now with EV, just during the 2nd
order rather than the first.<br>
<blockquote
cite="mid:1d1e3b8d1aaf430091434ab2be6235dd@EX2.corp.digicert.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">From the
customer perspective, they expect to have to jump through
hoops at the point of placing a new order. We don't generally
get push back on that. What they don't expect, and what it is
very difficult to make them understand is having to jump
through the hoops again during the validity period of the same
order. The customer doesn't understand these requirements and
it causes a bad customer experience, for which they blame the
CA.<br>
<span style="color:#1F497D">{JR} No hoops. Well, no different
hoops than before. It just shortens the validity period of
certs, permitting faster changes in industry standards and
encouraging key reuse. Fair note that I will likely
eventually ask for some limits on key reuse at some point… <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
-Rich<span style="color:#1F497D"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 3/30/2016 11:04 AM, Jeremy Rowley
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi everyone, <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’d like to resurface the certificate
validity period discussion and see if there is a way to move
this forward. I’m still keen on seeing a standardized
maximum validity period for all certificate types,
regardless of whether the certificate is DV, OV, or EV. I
believe the last time this was discussed, we reached an
impasse where the browsers favored a shorter validity period
for OV/DV and the CAs were generally supportive of a
longer-lived EV certificate (39 months). The argument for a
shorter validity period were 1) encourages key replacement,
2) ensures validation occurs more frequently, 3) deters
damage caused by key loss or a change in domain control, and
4) permits more rapid changes in industry standards and
accelerates the phase-out of insecure practices. The
argument for longer validity periods: 1) customers prefer
longer certificate validity periods, and 2) the difficulty
in frequent re-validation of information. <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">So far, there seems to be two change
proposals with a couple of variations:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">1)<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Set
all certificate validity periods to no more than 27 months<o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0
level2 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">a.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Require
re-validation of information for OV/DV certificates at 39
months OR<o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0
level2 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">b.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Require
re-validation of information for all certs at 13 months<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">2)<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Set
all certificate validity periods to 39 months<o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0
level2 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">a.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Require
re-validation every 13 months<o:p></o:p></p>
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0
level2 lfo2"><!--[if !supportLists]--><span
style="mso-list:Ignore">b.<span style="font:7.0pt
"Times New Roman""> </span></span><!--[endif]-->Require
re-validation of information for OV/DV certificates at 39
months<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">What are the objections to 1a? With all
the automated installers abounding, 1a seems to capture the
simplicity and customer convenience of 39 months with the
advantages of shorter-lived certs. Who would oppose/endorse
a ballot that does one of these? <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Jeremy<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>