[cabfpub] about EV period for Gov

Rich Smith richard.smith at comodo.com
Tue Nov 18 09:16:05 MST 2014 




From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Tuesday, November 18, 2014 9:37 AM

[RWS] <snip>

So would you support limiting the BRs to 27 months in order to harmonize? Or 
to 15 months across the board?

[RWS] I suspect that is a harder sell amongst the CAs than 39 month EVs are to 
you.  Not speaking for Comodo for a moment, just for myself, I won't say that 
I'm absolutely opposed to it, but I do think it's overkill.  Frankly I think, 
now that we've agreed on a 39 month max across the industry, certificate 
lifetime is not the bottleneck when it comes to rolling out major enhancements 
to TLS.  Given that any major shift in TLS requires not just the CAs, but also 
the CLIENTS and, SERVERS to support it, I seriously doubt the ability to roll 
out any major upgrade in under 39 months regardless of the max lifetime of 
certificates.  Frankly changing the CA policies is the easy part.  Any major 
change needs virtually all clients and servers to support it to avoid breaking 
the internet.  We've seen how difficult that is with SHA-2.  It was never the 
CAs holding back SHA-2 adoption.  It was always, and still is, though we've 
chosen now to write off the stragglers, client and server support.  CAs would 
have been happy to issue SHA-2 the moment the algorithm was available, but 
there wouldn't have been much point with no support from client and server 
software.  10 years on and we are still effectively breaking compatibility 
with a significant number of clients by rolling it out now.

-Rich

> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Gervase Markham
> > Sent: Tuesday, November 18, 2014 4:21 AM
> > To: Ryan Sleevi; "Richard at WoSignrichard"@wosign.com
> > Cc: Dean Coclin (Dean_Coclin at symantec.com); CABFPub
> > Subject: Re: [cabfpub] about EV period for Gov
> >
> > On 18/11/14 06:45, Ryan Sleevi wrote:
> > > The limitations of date do not just apply to vetting information, but
> > > to providing an orderly and efficient window for making improvements
> > > and deprecating insecure practices.
> >
> > I think this is the key point here. Certs have a limited life so that
> > we can make sure that all certs get security and process improvements
> > in a reasonable timeframe. As Ryan says, 3 years is still a long time
> > and it would be nice if it was shorter, but 5 years is way, way too
> > long.
> >
> > If the government were willing to say "OK, if you give us a 5 years
> > cert, we understand that you may tell us to revoke it and replace it at
> > any time and we are cool with that", that might be OK - but if that's
> > true, why can't they just have a 3-year cert?
> >
> > Gerv
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141118/1f61530d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6378 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20141118/1f61530d/attachment.bin

More information about the Public mailing list