[cabfpub] BR Rekey Rules

Gervase Markham gerv at mozilla.org
Thu Apr 17 13:48:57 UTC 2014

Hi Wayne,

On 12/04/14 01:17, Wayne Thayer wrote:
> Is there any support from other CAs and browsers to reconsider this BR
> rule in light of the current situation, or to at least make an exception
> for a major security event? 

Long-life certs cause problems in the SSL ecosystem, because they delay
the time that browsers and others can rely on a particular rule or
innovation which began on date X applying to all certificates. We've
been trying to reduce the maximum cert lifetime for a long time,
including some creative ideas to leverage the SHA1pocalypse, but those
ideas have been rebuffed. We are all still stuck waiting for the 2015
deadline which was agreed many moons ago.

Up to now, long-life certs haven't caused particular problems for CAs or
individual sites which use them. But now that long-life certs are
causing such problems for you and your customers, you want an exception
made so that they don't. I'm afraid my initial reaction is somewhat
unsympathetic. :-| If Heartbleed leads to a load of sites whose certs
weren't BR-compliant now using certs which are, I am not going to be
crying into my beer.

The max lifetime of an EV cert is 39 months, so the EV guidelines
exception you mention wouldn't help if it were transported to the BRs
with the same attendant restrictions. Transporting it to the BRs without
also bringing the 39-month limit along is not actually making them
match, it's putting a loophole in the BRs.


More information about the Public mailing list