[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

Gervase Markham gerv at mozilla.org
Thu Aug 1 19:20:26 UTC 2013

On 01/08/13 19:46, Rich Smith wrote:
> I have no problem with any of the above.  I can't speak to any other CAs
> practices around something like this, but as for Comodo, if a replacement is
> done on any certificate regardless of the term of validity, we re-verify
> domain control as per the BR.  We have done this even before the BR became
> effective.  We also require that the reissuance/re-key be based upon a CSR
> meeting current key size requirements (2048 on our system at this point)
> regardless of what was allowed when the cert was originally issued. 

If you are happy to update other facets of the cert to be BR-compliant,
why not the validity period? Is it just that it's a commercial PITA, or
is there another reason?

> So, like I said, I don't really have enough certs out there to put up strong
> resistance to your reasoning and conclusion, but the fact is that if even
> one of these gets re-issued, the customer is going to scream bloody murder
> when I cut time off it and I'm going to have to talk them down and jump
> through hoops on our system to either get a partial refund issued or somehow
> tack another free cert on at the end of the BR allowed term (5 years from
> now).  Both of those things are a bloody pain in the neck for what I see as
> zero added benefit to anyone, so I'd really rather not have to deal with it.

The benefit of having a fixed time period of X years is that if we
outlaw a practice, we are able to confidently say X years later that
there are no more valid certs which have that problem. I'd like X to be
shorter than 5 years - that seems a long time to get rid of bad things -
but 5 years is what we ended up with after negotiation.

I feel your pain in the above - I realise that whatever solution is
implemented, it's going to require effort and/or code. Perhaps we should
go together to talk to the guy who thought SSL certs with a 10-year
validity period were a good idea, and clue him in :-)


More information about the Public mailing list