[cabfpub] [cabfman] Short Lived Certificates

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Fri Jul 27 19:39:47 UTC 2012 

On 07/27/2012 09:56 PM, From Jeremy Rowley:
>
> Many DV suppliers already operate in an automated fashion.  Do they 
> ever look at the issued certificates?
>

Oh yes! I can't talk for other CAs but it's our diligence and 
responsibility to review and closely monitor what's going on. IIRC the 
most recent updates to the BR require yet a bit more than that (an 
errata that you requested).

> I’m not sure how an automated system will increase risks over the 
> current practices.  If there was a requirement that each certificate 
> be reviewed manually, then I would agree with you.  This is not the case.
>

I can say that almost every certificate is reviewed in this or other 
manner, there are other possibilities such as we implemented that 
requires interaction by the personnel with a flagging system. The 
automation is done due to a process initiated by another human (the 
subscriber requesting the certificate), which isn't quite the same such 
as a system that automatically has to issue certificates when no request 
happens.

Maybe not all are diligent in the same level, but from my point of view 
an automated system that must issue certificates a huge number of 
certificates under those circumstances every week is riskier than one 
that issues a much smaller amount with a validity of one or more years.

I also never agreed that so-called "trial" certificates that are valid 
for 30 days are somehow of a lesser risk and don't require the same 
diligence as a certificate that is valid for a year or more.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120727/7f28ad0e/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4506 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120727/7f28ad0e/attachment-0002.p7s>

More information about the Public mailing list