[cabfpub] SHA-1 changes and certificate lifetimes

Jeremy Rowley jeremy.rowley at digicert.com
Thu Nov 14 22:11:52 UTC 2013

I agree with Gerv and support moving towards 39 month certs with the SHA-2
transition. Every time the Forum wants to make a security improvement, there
is a significant lag while we wait for existing certs to expire.  Reducing
the time to 39 months keeps customers from having to re-purchase and install
certificates too frequently while letting the Forum set more reasonable
security update cycles. 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Thursday, November 14, 2013 3:14 AM
To: Wayne Thayer; CABFPub
Subject: Re: [cabfpub] SHA-1 changes and certificate lifetimes

On 13/11/13 19:30, Wayne Thayer wrote:
> I still don't understand how this proposal is connected to the new
> SHA-2 rules. 

AIUI, one big reason we did not have an earlier transition date to 39-month
max lifetime is that it would have required ringing up a load of customers
and telling them to change their currently-working and unexpired certs. Now,
we have to do that anyway, so it makes this objection no longer relevant.

My underlying assumption is that the CAB Forum wanted to make this
transition sooner but was prevented from doing so by concerns such as this.
Now this concern is not relevant, we can make the transition sooner. If, of
course, you are not of the opinion that we should make the transition to 39
months as soon as possible, then you will not agree with the logic of doing
it now rather than in April 2015. :-)

>>> In addition, reducing the allowed lifetime actually makes it harder 
>>> to transition longer duration certs to SHA-2.  If a CA issues a 5 
>>> year SHA-1 cert today and then can't reissue it with
>>> SHA-2 for the full term starting on Jan 1, then perhaps the least 
>>> bad choice is to wait until the remaining lifetime of the cert is 
>>> less than 39 months.
>> That would be an entirely reasonable thing to do.
> It seems to me that a more reasonable thing would be to start 
> transitioning customers with these certs to SHA-2 as soon as possible.

And if you are replacing their cert anyway, my logic runs, let's replace it
with one which meets the new max duration criteria that we would like,
rather than the old.

Public mailing list
Public at cabforum.org

More information about the Public mailing list