[cabfpub] Lifecycle of EV certs
Eddy Nigg
eddy_nigg at startcom.org
Thu Mar 19 22:47:48 UTC 2015
Hi Jeremy,
On 03/20/2015 12:33 AM, Jeremy Rowley wrote:
>
> Per the call today and discussion during the face-to-face, I'd like to
> start a public discussion on doing one of two things.
>
Thanks for your post here...
> Personally, I like the idea of a maximum lifecycle of 24 months. The
> lower validity period ensures CAB Forum and industry changes take less
> time to implement (fewer MD5/SHA1 situations), and we encourage more
> frequent rekeying and validation.
If there would be consensus to reduce everything to two years, this
would be personally also fine with me, but....
> Therefore extending EV to 39 months might be more reasonable.
...considering that his is the strongest verification standard so far,
it might make sense to increase the life-time to what has been
established a reasonable (maximum) time to rely on certificates.
Again personally, if anything should be changed besides this increase
would be the reduction of the life-time of DV certificates. After all,
all they confirm is some sort of control over the domain and not more.
You can't even know if the domain name is still registered by the holder
after just one year usually.
> Extending EV to 39 months will help promote EV adoption and put EV on
> equal footing with OV/DV.
Yes, that's currently a real drawback.
> Of course, this would extend the validation time by a year. One way
> to deal with this extra time is adopt the Mozilla approach and require
> revalidation every X months (where X is mostly likely 13).
I wouldn't be in favor of that - first of all today two years are
acceptable for EV certificates without any re-verification.
Second, the entire pain with EV is the verification process and not
necessarily getting the certificates in place. If it helps, we could
think about strengthening a point here or there to increase the
robustness of the verification process for EV.
And third, if ordinary IV/OV certificates are fine with a three year
verification cycle (not speaking about DV), than EV certainly is in my
opinion.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/5c263a67/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/5c263a67/attachment-0001.p7s>
More information about the Public
mailing list