[cabfpub] about EV period for Gov

Ryan Sleevi sleevi at google.com
Tue Nov 18 14:36:31 UTC 2014

On Nov 18, 2014 7:26 AM, "Rich Smith" <richard.smith at comodo.com> wrote:
> Gerv and Ryan,
> I agree with both your reasoning as to 5 year certs, but I think you've
> also mis-understood Richard's request.  He is asking that EVs be allowed
> 39 months, not 60, for government sites.

No, I understood perfectly well. The point was that 60 months (current BRs)
is too long, and the 39 months was a compromise with CAs, but not one that
reflects a good security posture. That it takes 3 years to roll out changes
is hardly a feature.

> I'm against that proposal, but
> only because I don't think it's wise to carve out a special rule just for
> one type of client.  I would like to suggest however, that now that we
> agreed to a max 39 months for TLS certs in the BR, how about we allow EVs
> for 39 months along with DV and OV certs.  Given the extra vetting that
> into EV, I don't think this would create any additional threat than
> DV/OV for 39 months, in fact I think allowing 39 for EV is probably less
> problematic from a vetting point of view, and doesn't change your points
> about rolling out security enhancements significantly given that DV/OV
> represent the majority of certificates issued.

I suspect we will disagree on this point. Rather than weaken the EVs
because the BRs are weak, why not strengthen the BRs and limit them to 27
months as well?

> I don't really have strong feelings about this proposal either way, but I
> think it would make things easier on all parties involved if we settled
on a
> single max lifetime for all TLS certificates at this point.  27 months was
> chosen for EV years before this group even conceived of the BRs and was
> chosen partially at least because there was no limit on the lifetime of
> certificates at all at the time, and it was rather arbitrary.  We've now
> settled on 39 months as a max lifetime for TLS certs, and even if you
> that should be shortened further, should that debate come up, I think it
> would be better if the debate encompassed all TLS certs rather than
> continuing to have to debate two separate, arbitrary time frames.
> -Rich

So would you support limiting the BRs to 27 months in order to harmonize?
Or to 15 months across the board?

> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Gervase Markham
> > Sent: Tuesday, November 18, 2014 4:21 AM
> > To: Ryan Sleevi; "Richard at WoSignrichard"@wosign.com
> > Cc: Dean Coclin (Dean_Coclin at symantec.com); CABFPub
> > Subject: Re: [cabfpub] about EV period for Gov
> >
> > On 18/11/14 06:45, Ryan Sleevi wrote:
> > > The limitations of date do not just apply to vetting information, but
> > > to providing an orderly and efficient window for making improvements
> > > and deprecating insecure practices.
> >
> > I think this is the key point here. Certs have a limited life so that
> > we can make sure that all certs get security and process improvements
> > in a reasonable timeframe. As Ryan says, 3 years is still a long time
> > and it would be nice if it was shorter, but 5 years is way, way too
> > long.
> >
> > If the government were willing to say "OK, if you give us a 5 years
> > cert, we understand that you may tell us to revoke it and replace it at
> > any time and we are cool with that", that might be OK - but if that's
> > true, why can't they just have a 3-year cert?
> >
> > Gerv
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141118/f044ce6c/attachment-0003.html>

More information about the Public mailing list