[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Nov 28 23:21:42 UTC 2013
On 11/28/2013 10:53 PM, From kirk_hall at trendmicro.com:
> Are there any known security breaches from past-issued 60 month certs
> (such as someone stealing the private key plus using the cert beyond a
> 39 month expiration period, someone selling an old server that had a
> private key plus 60-month cert on it, change of corporate identity
> during a five-year period that rendered a properly-issued 60-month
> cert inaccurate, but the cert was still used, etc.)? Or is the
> concern more theoretical?
Kirk, if you read the responses from Bruce and Dean (and maybe some
others) you understand that every time a change needs to be introduced
you'll get opposition from exactly those CAs that issue long-living
certificates. We all understand that CAs want to nail a customer for as
long as possible and make a difference by issuing certificates for long
periods of time (irresponsible) because others won't do that - but since
this requirement would be applied across the board I believe there will
be no competitive disadvantage to any of them.
However the entire industry will improve once changes can be pushed
through within ~ 3 years than currently 5 and previously 10. Being able
to act faster and get rid of possible problematic certificates within
the time-frame of 3 years without the need of revocation (which would
result in a another outcry anyway) is probably a worthy goal. With the
current upcoming changes it appears to be a golden opportunity to
achieve that.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131129/41bfa2c3/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131129/41bfa2c3/attachment-0001.p7s>
More information about the Public
mailing list