<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \,serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1242446652;
mso-list-type:hybrid;
mso-list-template-ids:1481123614 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Trustwave supports standardizing the max cert length and validations. Specifically the 27/27 version and based on the “_not_after_date”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">In the short term, we have all the same issues with changes to system code, update all marketing, legal, sales training, etc. The flipside is the elimination of the confusion with sales, support teams and customers.
Trustwave tries hard to explain why EV is better and then we have to qualify: except that they don’t last as long, except they have to be re-validated more often, except that they don’t support wildcard (another topic I know but related in this sense). I
think security is enhanced with more frequent turnover, so that supports standardizing to 2 years rather than to 3.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I also am a believer that getting customers used to more frequent updates (manual or automated, but this will also push automation) will help push the security industry forward. This just part of the IT world
in general. Microsoft supported XP for over 12 years, but will most likely never support an OS that long again.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Billy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org]
<b>On Behalf Of </b>Rich Smith<br>
<b>Sent:</b> Thursday, March 31, 2016 7:24 AM<br>
<b>To:</b> Jeremy Rowley <jeremy.rowley@digicert.com><br>
<b>Cc:</b> public@cabforum.org<br>
<b>Subject:</b> Re: [cabfpub] Certificate validity periods<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal">On 3/30/2016 3:04 PM, Jeremy Rowley wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">Thanks Rich – comments are in-line</span><o:p></o:p></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#1F497D"> </span></a><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext">
</span><a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a><span style="color:windowtext"> [</span><a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a><span style="color:windowtext">]
<b>On Behalf Of </b>Rich Smith<br>
<b>Sent:</b> Wednesday, March 30, 2016 10:32 AM<br>
<b>To:</b> </span><a href="mailto:public@cabforum.org">public@cabforum.org</a><span style="color:windowtext"><br>
<b>Subject:</b> Re: [cabfpub] Certificate validity periods</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Jeremy,<br>
I'm not sure Comodo would support any change at this point, but if we were to change I'd like to propose, let's call it 1c;<br>
Set all max validity to 27 months; Require re-validation for all at 27 months.<br>
<span style="color:#1F497D">{JR} I’d be okay with that. In fact, I like the proposal. </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
I'm against your proposal of 1a for the same reasons I don't like 27/13 for EV It puts us in position of having to redo validation of a replacement request by the customer. In this case, the customer would get the DV or OV for 27 months, be able to replace
at will, renew the cert for an additional 27 months, but be subject to revalidatiion half way through the 2nd when trying to get a replacement/re-issuance. This is bad enough with EV already, and I'm very much against extending it to OV/DV. If we can't find
a reasonable path to match up the re-validation requirement with max validity then I'm against making any changes.<br>
<span style="color:#1F497D">{JR} 1a was the opposite. It was have validation good for 39 months and just require reissuance of the cert every 2 years.
</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">[RWS] I got that, but it still puts the limit on previous verification into the middle of a term of certificate validity so it amounts to the same problem we have now with
EV, just during the 2nd order rather than the first.<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">From the customer perspective, they expect to have to jump through hoops at the point of placing a new order. We don't generally get push back on that. What they don't expect, and what it is very difficult
to make them understand is having to jump through the hoops again during the validity period of the same order. The customer doesn't understand these requirements and it causes a bad customer experience, for which they blame the CA.<br>
<span style="color:#1F497D">{JR} No hoops. Well, no different hoops than before. It just shortens the validity period of certs, permitting faster changes in industry standards and encouraging key reuse. Fair note that I will likely eventually ask for some limits
on key reuse at some point… </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
-Rich<o:p></o:p></p>
<div>
<p class="MsoNormal">On 3/30/2016 11:04 AM, Jeremy Rowley wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi everyone, <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’d like to resurface the certificate validity period discussion and see if there is a way to move this forward. I’m still keen on seeing a standardized maximum validity period for all certificate types, regardless of whether the certificate
is DV, OV, or EV. I believe the last time this was discussed, we reached an impasse where the browsers favored a shorter validity period for OV/DV and the CAs were generally supportive of a longer-lived EV certificate (39 months). The argument for a shorter
validity period were 1) encourages key replacement, 2) ensures validation occurs more frequently, 3) deters damage caused by key loss or a change in domain control, and 4) permits more rapid changes in industry standards and accelerates the phase-out of insecure
practices. The argument for longer validity periods: 1) customers prefer longer certificate validity periods, and 2) the difficulty in frequent re-validation of information.
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">So far, there seems to be two change proposals with a couple of variations:<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Set all certificate validity periods to no more than 27 months<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Require re-validation of information for OV/DV certificates at 39 months OR<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Require re-validation of information for all certs at 13 months<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Set all certificate validity periods to 39 months<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Require re-validation every 13 months<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2 lfo2">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>Require re-validation of information for OV/DV certificates at 39 months<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">What are the objections to 1a? With all the automated installers abounding, 1a seems to capture the simplicity and customer convenience of 39 months with the advantages of shorter-lived certs. Who would oppose/endorse a ballot that does
one of these? <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Jeremy<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman ,serif",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Public mailing list<o:p></o:p></pre>
<pre><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><o:p></o:p></pre>
<pre><a href="http://scanmail.trustwave.com/?c=4062&d=j5f91u4p2Uyt9dsAzV2XScOPhDRFhIOyTnXtAtVHtw&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman ,serif",serif"> </span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><o:p> </o:p></span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.<br>
</font>
</body>
</html>