[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Robin Alden robin at comodo.com
Thu Nov 28 03:53:07 MST 2013 

I also believe that this ballot is somewhat hasty. 

 

The deployment time is short.

 

The proposed dates do not line up.  01-Apr-2014 + 39 months <>
01-Jan-2017.

 

If the de facto deprecation exists then there is no motivation to rush
to make it de jure.

 

As Bruce mentions, the ballot does not address SHA-1/SHA-2.

 

I apologize I wasn't on the last CABF call, or I would have said at
least some of this then.

 

Regards
Robin

 

 

 

From: questions-bounces at cabforum.org
[mailto:questions-bounces at cabforum.org] On Behalf Of Bruce Morton
Sent: 27 November 2013 20:28
To: ben at digicert.com; Gervase Markham (gerv at mozilla.org);
questions at cabforum.org
Subject: Re: [cabfquest] [cabfpub] Ballot 111 - Accelerate Max
Certificate Lifetime Reduction Timetable

 

I would like to provide a response to the ballot. As the ballot
currently is written, if Entrust was able to vote, we would vote No.

 

First, we believe the timing of the ballot doesn't give CAs and
Subscribers enough lead time.

-          If the ballot is approved, it will only give the CAs a little
over 3 months to deploy. Why construct a ballot that will either have
non-compliant CAs or have CAs change release cycles to address a
non-security change?

-          As well as technical changes, other items need to be
addressed such as licensing agreements, technical notes, marketing
pages, etc.

 

Second, although the ballot states it wants to take advantage of the /de
facto/ deprecation of SHA-1, it does not address SHA-1:

-          Per Appendix A, SHA-1 is still allowed to be issued with no
wind down period

-          Changing from 60 months to 39 months, one year earlier, still
allows CAs to issue 39 month SHA-1 signed certificates . forever.

-          Why does the ballot state /de facto/ deprecation, when only
one browser has a policy to deprecate SHA-1?

 

Regardless of the ballot, the CAs will need to take action to support
the Microsoft SHA-1 policy and to minimize Subscriber issues in 2017.
CA's should consider:

-          Changing the signing default from SHA-1 to SHA-2.

-          Limiting the validity period of SHA-1 signed certificates to
31 December 2016

-          On 1 Jan 2016, stop signing certificates with SHA-1

 

What should the CAB Forum do?

-          Evaluate the Microsoft Policy and update certificate signing
requirements in the Baseline Requirements

-          Leave the validity period deprecation alone as it does not
address SHA-1 signing

 

If replying to this email, please send responses to the public list.

 

Thanks for allowing me to provide input

 

All the best, Bruce.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
On Behalf Of Ben Wilson
Sent: Tuesday, November 26, 2013 12:53 PM
To: public at cabforum.org
Subject: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime
Reduction Timetable

 

Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

 

Gervase Markham (Mozilla) made the following motion, endorsed by Eddy
Nigg from StartCom and Ryan Hurst from Globalsign:

 

--- Motion begins ---

 

The CAB Forum wishes to take advantage of the /de facto/ deprecation of
the near-ubiquitous SHA-1 hash algorithm in the Web PKI and its 1
January 2017 retirement by accelerating the Forum's planned move to
shorter maximum certificate lifetimes, in order to attain a more agile
certificate ecosystem.

 

Therefore, effective immediately, the Baseline Requirements are altered
as follows:

 

Update section 9.4.1 to change both occurrences of "1 April 2015" to "1
April 2014".

 

Update the Relevant Compliance Dates table on page ii to change

2015-04-01 to 2014-04-01 in the appropriate line.

 

... Motion ends ...

 

The ballot review period comes into effect immediately upon posting
today (Tuesday, 26 November 2013) and will close at 2200 UTC on Tuesday,
5 December 2013.  Unless the ballot is withdrawn or modified during the
review period, the voting period will start immediately thereafter and
will close at 2200 UTC on Tuesday, 12 December 2013.  If the ballot is
modified during such voting period for reasons other than to correct
minor typographical errors, then the ballot will be deemed to have been
withdrawn.

 

Votes must be cast by posting an on-list reply to this thread.

 

A vote in favor of the ballot must indicate a clear 'yes' in the
response.

 

A vote against the ballot must indicate a clear 'no' in the response.  A
vote to abstain must indicate a clear 'abstain' in the response. Unclear
responses will not be counted.  The latest vote received from any
representative of a voting member before the close of the voting period
will be counted.

 

Voting members are listed here: http://www.cabforum.org/forum.html

 

In order for the motion to be adopted, two thirds or more of the votes
cast by members in the CA category and more than one half of the votes
cast by members in the browser category must be in favor. Also, quorum
is currently set at 6 members-- at least 6 members must participate in
the ballot, either by voting in favor, voting against, or by abstaining
for the vote to be valid.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20131128/4897a7fa/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5246 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20131128/4897a7fa/attachment-0001.bin

More information about the Public mailing list