<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
HARICA participated in the discussion of ballot 185. Our concerns
can be summarized in the following:<br>
<ul>
<li>This proposal will raise the administrative overhead of
Subscribers significantly (from where it is today). System
administrators time is considered "expensive" thus, this
proposal raises the cost for Subscribers. We support
automation tools for web sites but there are more things to
consider:<br>
</li>
<ul>
<li>SSL/TLS certificates are used for more than web services
(FTPs, LDAPs, IMAPs, POP3s, Radius, SMTP, etc). Subscribers
operating such services don't currently have the necessary
tools to automate the renewal process every year and it is
not anticipated that such tools will exist anytime soon
(even in the year to come).<br>
</li>
<li>Some SSL/TLS certificates are used in Federated Services
which require out-of-bad distribution (a very manual
process).</li>
<li>There are many legacy devices that don't support
automation in certificate management (Wireless Access
Points, VPN servers, etc).</li>
</ul>
<li>The CA/B Forum supports and requires ONLY <u>secure</u> (to
the best of the community's knowledge) cryptographic
algorithms in the Baseline Requirements. These algorithms have
a lifetime expectancy for sustaining attacks and factoring, of
several years. In cases where an algorithm was proven or was
even considered as insecure, appropriate deprecation measures
were adopted, consistent with the vulnerabilities and threats.
Of course there are lessons to be learned, and this process
must be improved, even standardized. Requiring certificates to
be issued every year does not substitute the necessity for
appropriate deprecation measures.</li>
<li>We consider <a
href="https://support.google.com/a/answer/7300887">Google's
S/MIME policy</a> for certificate validity of 27 months, as
the best next-step forward that should be adopted by the CA/B
Forum for the Baseline Requirements. It will still raise the
administrative overhead for Subscribers but it will be less
aggressive and easier to adopt.</li>
</ul>
For the reasons above, HARICA votes "no" for ballot 185.<br>
<br>
We would support creating an agreed-upon questionnaire by the
Forum members (the same questionnaire for everyone) that will
address most or all of the concerns raised in the discussion
period of ballot 185. This questionnaire would be forwarded to CA
Subscribers thus acquiring consistent, concrete data that will
help the Forum decide future steps regarding the certificate
validity period and domain validation (or re-validation). We may
come back to this in a different thread, after the end of the
voting period.<br>
<br>
<br>
Best regards,<br>
Dimitris Zacharopoulos.<br>
<p><br>
</p>
<br>
<br>
<br>
On 13/2/2017 9:18 μμ, Ryan Sleevi via Public wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvZ1UotFUqXHCLve0SOkG-KHJpTVm9bvV_XAbeqY=Wm=xQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Pursuant to the consensus on <a moz-do-not-send="true"
href="https://cabforum.org/pipermail/public/2017-February/009530.html">https://cabforum.org/pipermail/public/2017-February/009530.html</a>
about the nature of changes during the discussion period, and
the request from Gervase on <a moz-do-not-send="true"
href="https://cabforum.org/pipermail/public/2017-February/009618.html">https://cabforum.org/pipermail/public/2017-February/009618.html</a>
to adjust what represents the Baseline agreement, this adjusts
the effective date from 1 April to 24 August. While individual
programs may choose to enact or enforce requirements prior to
that, as the Baseline Requirements capture the effective point
of common agreement of the bare minimum security levels, it
seems appropriate that this Ballot accurately reflect that.</div>
<div><br>
</div>
<div><br>
</div>
<div>Ballot 185 - Limiting the Lifetime of Certificates</div>
<div><br>
</div>
<div>The following motion has been proposed by Ryan Sleevi of
Google, Inc and endorsed by Josh Aas of ISRG and Gervase
Markham of Mozilla to introduce new Final Maintenance
Guidelines for the "Baseline Requirements Certificate Policy
for the Issuance and Management of Publicly-Trusted
Certificates" and the "Guidelines for the Issuance and
Management of Extended Validation Certificates"</div>
<div><br>
</div>
<div>-- MOTION BEGINS --</div>
<div>Modify Section 6.3.2 of the "Baseline Requirements
Certificate Policy for the Issuance and Management of
Publicly-Trusted Certificates" as follows:</div>
<div><br>
</div>
<div>Replace Section 6.3.2, which reads as follows:</div>
<div>"""</div>
<div>6.3.2. Certificate Operational Periods and Key Pair Usage
Periods</div>
<div><br>
</div>
<div>Subscriber Certificates issued after the Effective Date
MUST have a Validity Period no greater than 60 months. </div>
<div>Except as provided for below, Subscriber Certificates
issued after 1 April 2015 MUST have a Validity Period </div>
<div>no greater than 39 months. </div>
<div><br>
</div>
<div>Until 30 June 2016, CAs MAY continue to issue Subscriber
Certificates with a Validity Period greater than 39 </div>
<div>months but not greater than 60 months provided that the CA
documents that the Certificate is for a system or </div>
<div>software that: </div>
<div>(a) was in use prior to the Effective Date; </div>
<div>(b) is currently in use by either the Applicant or a
substantial number of Relying Parties; </div>
<div>(c) fails to operate if the Validity Period is shorter than
60 months; </div>
<div>(d) does not contain known security risks to Relying
Parties; and </div>
<div>(e) is difficult to patch or replace without substantial
economic outlay</div>
<div>"""</div>
<div><br>
</div>
<div>with the following text:</div>
<div>"""</div>
<div>6.3.2. Certificate Operational Periods and Key Pair Usage
Periods</div>
<div><br>
</div>
<div>Subscriber Certificates issued on or after 24 August 2017
MUST NOT have a Validity Period greater than three hundred and
ninety-eight (398) days.</div>
<div><br>
</div>
<div>Subscriber Certificates issued prior to 24 August 2017 MUST
NOT have a Validity Period greater than thirty-nine (39)
months.</div>
<div>"""</div>
<div><br>
</div>
<div>Modify Section 9.4 of the "Guidelines for the Issuance and
Management of Extended Validation Certificates" as follows:</div>
<div><br>
</div>
<div>Replace Section 9.4, which reads as follows:</div>
<div>"""</div>
<div>9.4. Maximum Validity Period For EV Certificate</div>
<div><br>
</div>
<div>The validity period for an EV Certificate SHALL NOT exceed
twenty seven months. It is RECOMMENDED that EV</div>
<div>Subscriber Certificates have a maximum validity period of
twelve months.</div>
<div>"""</div>
<div><br>
</div>
<div>with the following text:</div>
<div>""""</div>
<div>9.4 Maximum Validity Period for EV Certificate</div>
<div><br>
</div>
<div>EV Certificates issued on or after 24 August 2017 MUST NOT
have a Validity Period greater than three hundred and
ninety-eight (398) days.</div>
<div><br>
</div>
<div>EV Certificates issued prior to 24 August 2017 MUST NOT
have a Validity Period greater than twenty seven (27) months.</div>
<div>"""</div>
<div>-- MOTION ENDS --</div>
<div><br>
</div>
<div>Ballot 185 - Limiting the Lifetime of Certificates</div>
<div>Status: Final Maintenance Guideline</div>
<div><br>
</div>
<div>Review Period:</div>
<div>Start Time: 2017-02-10 00:00:00 UTC</div>
<div>End Time: 2017-02-17 00:00:00 UTC</div>
<div><br>
</div>
<div>Vote for Approval:</div>
<div>Start Time: 2017-02-17 00:00:00 UTC</div>
<div>End Time: 2017-02-24 00:00:00 UTC</div>
<div><br>
</div>
<div>Votes must be cast by posting an on-list reply to this
thread on the Public Mail List.</div>
<div><br>
</div>
<div>A vote in favor of the ballot must indicate a clear 'yes'
in the response. A vote against must indicate a clear 'no' in
the response. A vote to abstain must indicate a clear
'abstain' in the response. Unclear responses will not be
counted. The latest vote received from any representative of a
voting Member before the close of the voting period will be
counted. Voting Members are listed here: <a
moz-do-not-send="true" href="https://cabforum.org/members/">https://cabforum.org/members/</a></div>
<div><br>
</div>
<div>In order for the ballot to be adopted, two thirds or more
of the votes cast by Members in the CA category and greater
than 50% of the votes cast by members in the browser category
must be in favor.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
</blockquote>
<br>
</body>
</html>