[cabfpub] SHA-1 changes and certificate lifetimes

Gervase Markham gerv at mozilla.org
Thu Nov 14 10:14:22 UTC 2013

On 13/11/13 19:30, Wayne Thayer wrote:
> I still don't understand how this proposal is connected to the new
> SHA-2 rules. 

AIUI, one big reason we did not have an earlier transition date to
39-month max lifetime is that it would have required ringing up a load
of customers and telling them to change their currently-working and
unexpired certs. Now, we have to do that anyway, so it makes this
objection no longer relevant.

My underlying assumption is that the CAB Forum wanted to make this
transition sooner but was prevented from doing so by concerns such as
this. Now this concern is not relevant, we can make the transition
sooner. If, of course, you are not of the opinion that we should make
the transition to 39 months as soon as possible, then you will not agree
with the logic of doing it now rather than in April 2015. :-)

>>> In addition, reducing the allowed lifetime actually makes it
>>> harder to transition longer duration certs to SHA-2.  If a CA
>>> issues a 5 year SHA-1 cert today and then can't reissue it with
>>> SHA-2 for the full term starting on Jan 1, then perhaps the least
>>> bad choice is to wait until the remaining lifetime of the cert is
>>> less than 39 months.
>> That would be an entirely reasonable thing to do.
> It seems to me that a more reasonable thing would be to start
> transitioning customers with these certs to SHA-2 as soon as
> possible.

And if you are replacing their cert anyway, my logic runs, let's replace
it with one which meets the new max duration criteria that we would
like, rather than the old.


More information about the Public mailing list