<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:944846019;
mso-list-type:hybrid;
mso-list-template-ids:-1681342630 675854064 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Times New Roman",serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></a></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ryan Sleevi [mailto:sleevi@google.com]
<br>
<b>Sent:</b> Friday, February 3, 2017 6:01 PM<br>
<b>To:</b> Doug Beattie <doug.beattie@globalsign.com><br>
<b>Cc:</b> CA/Browser Forum Public Discussion List <public@cabforum.org><br>
<b>Subject:</b> Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">I'll try to simplify the replies, because it seems that giving a long list of reasons is causing too much confusion:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">* I agree, but I think there were some meaningful responses to the concerns you raised. This long email may be better served via a collaborative document or wiki, then follow up at the F2F. I’ll see what I
can do, because there are valuable points that were dropped in this response.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Did you know that Google’s CAA record is not correct? – Google is issuing SSL certificates to their domains but google.com is not listed in the CAA record. Am I misinterpreting CAA?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> <a href="https://toolbox.googleapps.com/apps/dig/#ANY/google.com">https://toolbox.googleapps.com/apps/dig/#ANY/google.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><b><span style="font-size:10.0pt;font-family:"Courier New";color:#006600;background:white">google.com. 86399 IN CAA 0 issue "symantec.com"</span></b><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Current CPS says you’re not checking CAA – as the proponent of CAA shouldn’t you be checking it, else how can you criticize CAs for dragging their feet?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">https://static.googleusercontent.com/media/pki.google.com/en//GIAG2-CPS-1.4.pdf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal">1) Do you acknowledge and agree that a shorter-lived certificate makes for a natural revocation?<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">* No, not really. Expired certificates let you click-through while revoked certificates are a hard fail, the way it should be (per Rob)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Phishing sites that have a 3 month certificate and that are identified on day 1 as being bad have a full 89 days to continue phishing without certificate expiration, so, there is no help with shorter validity
period certificates there<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Wouldn’t a WebPKI revocation system help more than shorter validity period certificates?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal">2) Do you acknowledge and agree that a shorter-lived certificate ensures that policies regarding new issuance can come in effect quicker than the current system?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">* Yes, but at I apparently place less value on this than you do. Based on issuance date you know what policy it was issued under. As I’ve said repeatedly, short validity certificate would have had no benefit
to SHA-1 deprecation because it was the relying party applications that needed to be updated.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">What real world benefit of recent changes would have we have realized if we had 1-year max validity period in the past 3 years?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">CT: The set of log servers is just getting to the point of being robust and stable and we’re all moving that way. Some CAs are ahead of others.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">CAA – Google isn’t even doing CAA for their CAs yet, so how important can it really be?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">SHA-1 – as I’ve said before, not related to short validity certificates<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">So, what changes have we made or what changed do we envision needing to be applied to all active certificates in order for them to be trusted? I suggested in the last email making DV short validity – can we
at least try to build agreement on that before we boil the ocean? I might even OK with warning users that receive certificates that are valid longer than 18+- months that they may need to reissue them to be trusted by browsers before they expire, if that
helps get us to agreement. What do you think of baby steps and making at least some progress forward?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal">Your attempts to ignore the SHA-1 issue are surprising. I would have thought the data that Microsoft shared regarding their efforts to deprecate this - due to the security risk to their users - while minimizing impact - would have unquestionably
shown why this was necessary. To recap and refresh - the significant challenge reported was due to the long-lived nature of the certificates meaning that disabling SHA-1 - thus protecting the ecosystem - would and did cause considerable impact.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">* The issue with SHA-1 deprecation came from the user base where applications and systems just didn’t support SHA-256 and not CAs. I keep saying this is a bad example of a policy change that would have benefited
from shorter validity period certificates. I hope we can agree on this and drop deprecation of SHA-1 as a reason for needing shorter validity certificates.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal">The irony here of your objections to continuing the SHA-1 discussion is that, anticipating these problems, Google tried to help communicate to users and site operators the risk that CAs' repeated failures would cause, and the CA Security
Council objected to this. So we have a situation where CAs are not actually trying to help the ecosystem (or their users) be more secure, we have ample evidence how the practice of long-lived certs prevents meaningful improvement, and CAs objecting to any
and all efforts to improve the ecosystem to date that don't involve CRLs/OCSP, a set of unusable technologies in part due to CAs poisoning that well. That's not a healthy ecosystem.<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Let’s identify the problems that we want to solve and come up with solutions rather than forcing a solution on the industry and trying to justify it. I don’t
know about the other CAs, but GlobalSIgn is fine with short validity certificates as long as all of our customers are. Changing the max validity period is trivial. What we keep missing here is that the consumers of SSL certificates need to be part of this
discussion, in fact, they are THE key element and the solutions needs to align with their technical and business needs.
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>