[cabfpub] about EV period for Gov

Rich Smith richard.smith at comodo.com
Tue Nov 18 07:26:29 MST 2014 

Gerv and Ryan,
I agree with both your reasoning as to 5 year certs, but I think you've both
also mis-understood Richard's request.  He is asking that EVs be allowed for
39 months, not 60, for government sites.  I'm against that proposal, but
only because I don't think it's wise to carve out a special rule just for
one type of client.  I would like to suggest however, that now that we have
agreed to a max 39 months for TLS certs in the BR, how about we allow EVs
for 39 months along with DV and OV certs.  Given the extra vetting that goes
into EV, I don't think this would create any additional threat than allowing
DV/OV for 39 months, in fact I think allowing 39 for EV is probably less
problematic from a vetting point of view, and doesn't change your points
about rolling out security enhancements significantly given that DV/OV still
represent the majority of certificates issued.

I don't really have strong feelings about this proposal either way, but I
think it would make things easier on all parties involved if we settled on a
single max lifetime for all TLS certificates at this point.  27 months was
chosen for EV years before this group even conceived of the BRs and was
chosen partially at least because there was no limit on the lifetime of
certificates at all at the time, and it was rather arbitrary.  We've now
settled on 39 months as a max lifetime for TLS certs, and even if you think
that should be shortened further, should that debate come up, I think it
would be better if the debate encompassed all TLS certs rather than
continuing to have to debate two separate, arbitrary time frames.

-Rich

> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Gervase Markham
> Sent: Tuesday, November 18, 2014 4:21 AM
> To: Ryan Sleevi; "Richard at WoSignrichard"@wosign.com
> Cc: Dean Coclin (Dean_Coclin at symantec.com); CABFPub
> Subject: Re: [cabfpub] about EV period for Gov
> 
> On 18/11/14 06:45, Ryan Sleevi wrote:
> > The limitations of date do not just apply to vetting information, but
> > to providing an orderly and efficient window for making improvements
> > and deprecating insecure practices.
> 
> I think this is the key point here. Certs have a limited life so that
> we can make sure that all certs get security and process improvements
> in a reasonable timeframe. As Ryan says, 3 years is still a long time
> and it would be nice if it was shorter, but 5 years is way, way too
> long.
> 
> If the government were willing to say "OK, if you give us a 5 years
> cert, we understand that you may tell us to revoke it and replace it at
> any time and we are cool with that", that might be OK - but if that's
> true, why can't they just have a 3-year cert?
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141118/57e99cc5/attachment.bin

More information about the Public mailing list