<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.gmail-
{mso-style-name:gmail-;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Starting a new thread where web site administrators can post their questions regarding 13 month TLS certificates.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Posted with permission<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">the reasons to shorten the lifetime makes no sense. His argument was about faster phasing out SHA1, but as the CA side for the major CAs by paining them to have max. 1 year would not change the clients in enterprises
to SHA2 faster, I also got an enquiry on a project to replace the in-house CA with SHA2 and they were not able to manage it earlier, they need the budget and planning, so 13 months for doing similar change to SHA3 would be surrealistic.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">The next argument to be able to disable false certificates I also don't agree with. There is OCSP, where is stapling, so if the browsers disable OCSP check by default, why should the CAs need to solve this security weak
default setting by let the CAs always issue new certs, its less secure and looks more like a quick and dirty workaround solution for the more secure straightforward solution.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Also this solution requires automatism and I don't agree that automatism is more secure and the trustworthy future. Automatism is always insecure, it's the solution for the bride masses, but no solution for enterprises,
it always has weaknesses and may be attackable. Manual work is always under manual control and follow security key requirements like separation of duties, controlled change management, controlled deployment management, ... As I got known, encryption only as
fast as wide spread possible is the solution which Google wants to achieve, meanwhile trust isn't important (or Google may tell us, who we should trust).<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB">As I got known, this ballot will fail, if >50% of the browsers decline and/or >1/3 of the CAs. As only Let's Encrypt endorse this idea, as they only believe in encryption and decline any responsibility
for whom they issue, I saw scam, spam and phishing sites running Let's Encrypt, this ballot may fail, if all trust driven CAs will decline?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Mit freundlichen Grüßen,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Christian Heutger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">Geschäftsführer<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">CISSP, CISA, CISM<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">ITIL-Expert, PRINCE2-/COBIT 5-Practitioner<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB">DS-/ISO 9001-/ISO 20000-1-/ISO 27001-Auditor<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
</div>
</body>
</html>