[cabfpub] [cabfquest] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Dean Coclin Dean_Coclin at symantec.com
Wed Nov 27 21:53:05 UTC 2013 

We also agree with Bruce. The timing to implement this is very short and is
not on anyone's roadmap. This would be a significant change for any major CA
considering the number of certificates in play. The ballot does not allow
enough time to get the change in place without major disruption of roadmaps,
product plans and the customer base. If this was a serious security threat,
then we would probably have a different response. But given that this date
appears to be arbitrarily chosen without regard to CA business practices, we
urge the proponents to reconsider and discuss an appropriate date on the
next call.


Dean Coclin
Symantec

 

From: questions-bounces at cabforum.org [mailto:questions-bounces at cabforum.org]
On Behalf Of Bruce Morton
Sent: Wednesday, November 27, 2013 3:28 PM
To: ben at digicert.com; Gervase Markham (gerv at mozilla.org);
questions at cabforum.org
Subject: Re: [cabfquest] [cabfpub] Ballot 111 - Accelerate Max Certificate
Lifetime Reduction Timetable

 

I would like to provide a response to the ballot. As the ballot currently is
written, if Entrust was able to vote, we would vote No.

 

First, we believe the timing of the ballot doesn't give CAs and Subscribers
enough lead time.

-          If the ballot is approved, it will only give the CAs a little
over 3 months to deploy. Why construct a ballot that will either have
non-compliant CAs or have CAs change release cycles to address a
non-security change?

-          As well as technical changes, other items need to be addressed
such as licensing agreements, technical notes, marketing pages, etc.

 

Second, although the ballot states it wants to take advantage of the /de
facto/ deprecation of SHA-1, it does not address SHA-1:

-          Per Appendix A, SHA-1 is still allowed to be issued with no wind
down period

-          Changing from 60 months to 39 months, one year earlier, still
allows CAs to issue 39 month SHA-1 signed certificates . forever.

-          Why does the ballot state /de facto/ deprecation, when only one
browser has a policy to deprecate SHA-1?

 

Regardless of the ballot, the CAs will need to take action to support the
Microsoft SHA-1 policy and to minimize Subscriber issues in 2017. CA's
should consider:

-          Changing the signing default from SHA-1 to SHA-2.

-          Limiting the validity period of SHA-1 signed certificates to 31
December 2016

-          On 1 Jan 2016, stop signing certificates with SHA-1

 

What should the CAB Forum do?

-          Evaluate the Microsoft Policy and update certificate signing
requirements in the Baseline Requirements

-          Leave the validity period deprecation alone as it does not
address SHA-1 signing

 

If replying to this email, please send responses to the public list.

 

Thanks for allowing me to provide input

 

All the best, Bruce.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Tuesday, November 26, 2013 12:53 PM
To: public at cabforum.org
Subject: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime
Reduction Timetable

 

Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

 

Gervase Markham (Mozilla) made the following motion, endorsed by Eddy Nigg
from StartCom and Ryan Hurst from Globalsign:

 

--- Motion begins ---

 

The CAB Forum wishes to take advantage of the /de facto/ deprecation of the
near-ubiquitous SHA-1 hash algorithm in the Web PKI and its 1 January 2017
retirement by accelerating the Forum's planned move to shorter maximum
certificate lifetimes, in order to attain a more agile certificate
ecosystem.

 

Therefore, effective immediately, the Baseline Requirements are altered as
follows:

 

Update section 9.4.1 to change both occurrences of "1 April 2015" to "1
April 2014".

 

Update the Relevant Compliance Dates table on page ii to change

2015-04-01 to 2014-04-01 in the appropriate line.

 

... Motion ends ...

 

The ballot review period comes into effect immediately upon posting today
(Tuesday, 26 November 2013) and will close at 2200 UTC on Tuesday, 5
December 2013.  Unless the ballot is withdrawn or modified during the review
period, the voting period will start immediately thereafter and will close
at 2200 UTC on Tuesday, 12 December 2013.  If the ballot is modified during
such voting period for reasons other than to correct minor typographical
errors, then the ballot will be deemed to have been withdrawn.

 

Votes must be cast by posting an on-list reply to this thread.

 

A vote in favor of the ballot must indicate a clear 'yes' in the response.

 

A vote against the ballot must indicate a clear 'no' in the response.  A
vote to abstain must indicate a clear 'abstain' in the response. Unclear
responses will not be counted.  The latest vote received from any
representative of a voting member before the close of the voting period will
be counted.

 

Voting members are listed here: http://www.cabforum.org/forum.html

 

In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and more than one half of the votes cast by
members in the browser category must be in favor. Also, quorum is currently
set at 6 members-- at least 6 members must participate in the ballot, either
by voting in favor, voting against, or by abstaining for the vote to be
valid.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131127/491d6332/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131127/491d6332/attachment-0001.p7s>

More information about the Public mailing list