[cabfpub] Lifecycle of EV certs

Eddy Nigg eddy_nigg at startcom.org
Thu Mar 19 15:47:48 MST 2015


Hi Jeremy,

On 03/20/2015 12:33 AM, Jeremy Rowley wrote:
>
> Per the call today and discussion during the face-to-face, I'd like to 
> start a public discussion on doing one of two things.
>

Thanks for your post here...

> Personally, I like the idea of a maximum lifecycle of 24 months. The 
> lower validity period ensures CAB Forum and industry changes take less 
> time to implement (fewer MD5/SHA1 situations), and we encourage more 
> frequent rekeying and validation.

If there would be consensus to reduce everything to two years, this 
would be personally also fine with me, but....

> Therefore extending EV to 39 months might be more reasonable.

...considering that his is the strongest verification standard so far, 
it might make sense to increase the life-time to what has been 
established a reasonable (maximum) time to rely on certificates.

Again personally, if anything should be changed besides this increase 
would be the reduction of the life-time of DV certificates. After all, 
all they confirm is some sort of control over the domain and not more. 
You can't even know if the domain name is still registered by the holder 
after just one year usually.

> Extending EV to 39 months will help promote EV adoption and put EV on 
> equal footing with OV/DV.

Yes, that's currently a real drawback.

>   Of course, this would extend the validation time by a year. One way 
> to deal with this extra time is adopt the Mozilla approach and require 
> revalidation every X months (where X is mostly likely 13).

I wouldn't be in favor of that - first of all today two years are 
acceptable for EV certificates without any re-verification.
Second, the entire pain with EV is the verification process and not 
necessarily getting the certificates in place. If it helps, we could 
think about strengthening a point here or there to increase the 
robustness of the verification process for EV.
And third, if ordinary IV/OV certificates are fine with a three year 
verification cycle (not speaking about DV), than EV certainly is in my 
opinion.

-- 
Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150320/5c263a67/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
Url : https://cabforum.org/pipermail/public/attachments/20150320/5c263a67/attachment-0001.bin 


More information about the Public mailing list