[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Gervase Markham gerv at mozilla.org
Thu Nov 28 10:57:31 UTC 2013

On 28/11/13 10:53, Robin Alden wrote:
> I also believe that this ballot is somewhat hasty.
> The deployment time is short.
> The proposed dates do not line up.  01-Apr-2014 + 39 months <> 01-Jan-2017.

It can't be had both ways. The original proposal lined up the dates, but
was criticised for not allowing enough time for the transition. So it
was changed to allow some more time - 4 months was considered more
realistic on the call we had.

> If the de facto deprecation exists then there is no motivation to rush
> to make it de jure.

Except that the ballot also applies to SHA-2 certs.

As I said in my previous message: we are currently in a situation, right
now, where almost no cert on the Internet has a /de facto/ useful life
of longer than 37 months. This is because they are almost all SHA-1. I
would like to preserve this property going forward, as CAs start issuing
SHA-2 certs. If you don't agree with this aim, then you are going to
vote against the proposal however we word it. But if you agree with this
aim, but you don't like this method, how do you suggest we achieve it?


More information about the Public mailing list