[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Ryan Hurst ryan.hurst at globalsign.com
Fri Nov 29 08:41:13 UTC 2013

We agree with Jeremy.

*From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] *On
Behalf Of *Jeremy Rowley
*Sent:* Friday, November 29, 2013 12:35 AM
*To:* 'CABFPub'
*Subject:* Re: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime
Reduction Timetable

60 month certs have limited the Forum’s ability to create improvements ever
since we starting discussing the BRs, and practically every significant
change we make includes a discussion about what do to accommodate
long-lived certs. Several the results of these discussions, and barrier to
change, are evident in the BRs themselves (issuance from a root, the
internal server name deprecation date, etc). By eliminating long lived
certs, the Forum eliminates one of the major obstacles in improving the
industry, permitting the Forum to become the primary proponent for
improvements instead of the browsers (ie, instead of Microsoft announcing
that SHA2 is required for all certs three years from now, the Forum could
have passed a BR requirement to the same effect).

Plus, the code signing working group focuses heavily on private key
protection.  During the discussions, the group estimated that 50% of the
problem certificates resulted from stolen or compromised private keys.  I
imagine the problem is just as bad for SSL.  Add on top of that the fact
that five-year old information is extremely stale and has likely changed.


*From:* public-bounces at cabforum.org
[mailto:public-bounces at cabforum.org<public-bounces at cabforum.org>]
*On Behalf Of *kirk_hall at trendmicro.com
*Sent:* Thursday, November 28, 2013 7:07 PM
*To:* Eddy Nigg (StartCom Ltd.); CABFPub
*Subject:* Re: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime
Reduction Timetable

Well, so far the existence of 60 month certs has not stopped the browsers
from imposing new requirements on CAs and certificates that have an
immediate effect on all certs (60 month and 39 month certs alike) – some
browsers have even taken the position that new rules in the BRs adopted in
July 2012 and made effective in February 2013 would apply **retroactively**
to certs issued **before** those dates.

So I don’t really think it’s true that the existence of 60 month certs
issued by some CAs has ever limited changes made by the Forum, or their
effective dates.  Has it?

*From:* public-bounces at cabforum.org
[mailto:public-bounces at cabforum.org<public-bounces at cabforum.org>]
*On Behalf Of *Eddy Nigg (StartCom Ltd.)
*Sent:* Thursday, November 28, 2013 3:22 PM
*To:* CABFPub
*Subject:* Re: [cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime
Reduction Timetable

On 11/28/2013 10:53 PM, From kirk_hall at trendmicro.com:

Are there any known security breaches from past-issued 60 month certs (such
as someone stealing the private key plus using the cert beyond a 39 month
expiration period, someone selling an old server that had a private key
plus 60-month cert on it, change of corporate identity during a five-year
period that rendered a properly-issued 60-month cert inaccurate, but the
cert was still used, etc.)?  Or is the concern more theoretical?

Kirk, if you read the responses from Bruce and Dean (and maybe some others)
you understand that every time a change needs to be introduced you'll get
opposition from exactly those CAs that issue long-living certificates. We
all understand that CAs want to nail a customer for as long as possible and
make a difference by issuing certificates for long periods of time
(irresponsible) because others won't do that - but since this requirement
would be applied across the board I believe there will be no competitive
disadvantage to any of them.

However the entire industry will improve once changes can be pushed through
within ~ 3 years than currently 5 and previously 10. Being able to act
faster and get rid of possible problematic certificates within the
time-frame of 3 years without the need of revocation (which would result in
a another outcry anyway) is probably a worthy goal. With the current
upcoming changes it appears to be a golden opportunity to achieve that.



Eddy Nigg, COO/CTO

StartCom Ltd. <http://www.startcom.org>


startcom at startcom.org <xmpp:startcom at startcom.org>


Join the Revolution! <http://blog.startcom.org>


Follow Me <http://twitter.com/eddy_nigg>


The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131129/9701c67a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20131129/9701c67a/attachment-0001.p7s>

More information about the Public mailing list