[cabfpub] Lifecycle of EV certs

Gervase Markham gerv at mozilla.org
Fri Mar 20 03:31:52 MST 2015


On 19/03/15 23:22, Ryan Sleevi wrote:
> * The validity period is the lower-bound for the industry to make
> progressive changes that are technically enforcable.
..
> * It encourages better security practices and can reduce training and
> support overhead.
..
> BEAST, Lucky13, RC4, and FREAK all demonstrate the need to actively stay
> on top of things, and a habit of annual rotation of certificates can
> help set an upper-bound on how long insecure practices live on.

These two arguments are the most compelling to me. The slew of recent
SSL vulnerabilities, and the pervasive passive surveillance worldwide
(by multiple governments), all suggest that the Internet is much, much
better off when server operators are paying regular and informed
attention to their SSL security configurations. CAs should be
proactively working out how they can help their customers to adopt such
a posture, just as browser makers are working to figure out how we can
deprecate broken standards as quickly as possible.

For example, CAs may wish to email their customers once a year, whether
they have a one, two or three-year cert, with a set of updated
information about current best practice. (Maybe some already do.) They
could scan their customers' public websites and warn them about
configuration issues and potential future problems ("you know your site
only supports RC4?").

Gerv


More information about the Public mailing list