[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Nov 28 23:21:42 UTC 2013


On 11/28/2013 10:53 PM, From kirk_hall at trendmicro.com:
> Are there any known security breaches from past-issued 60 month certs 
> (such as someone stealing the private key plus using the cert beyond a 
> 39 month expiration period, someone selling an old server that had a 
> private key plus 60-month cert on it, change of corporate identity 
> during a five-year period that rendered a properly-issued 60-month 
> cert inaccurate, but the cert was still used, etc.)?  Or is the 
> concern more theoretical?

Kirk, if you read the responses from Bruce and Dean (and maybe some 
others) you understand that every time a change needs to be introduced 
you'll get opposition from exactly those CAs that issue long-living 
certificates. We all understand that CAs want to nail a customer for as 
long as possible and make a difference by issuing certificates for long 
periods of time (irresponsible) because others won't do that - but since 
this requirement would be applied across the board I believe there will 
be no competitive disadvantage to any of them.

However the entire industry will improve once changes can be pushed 
through within ~ 3 years than currently 5 and previously 10. Being able 
to act faster and get rid of possible problematic certificates within 
the time-frame of 3 years without the need of revocation (which would 
result in a another outcry anyway) is probably a worthy goal. With the 
current upcoming changes it appears to be a golden opportunity to 
achieve that.


Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131129/41bfa2c3/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131129/41bfa2c3/attachment-0001.p7s>


More information about the Public mailing list