[cabfpub] Lifecycle of EV certs

Ryan Sleevi sleevi at google.com
Thu Mar 19 22:50:43 UTC 2015

On Thu, Mar 19, 2015 at 3:33 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

>  Per the call today and discussion during the face-to-face, I’d like to
> start a public discussion on doing one of two things. Either:
> 1)      Extending EV certificates to a 39 month validity period or
> 2)      Reducing the validity period of all certificates to 24 months.
> Personally, I like the idea of a maximum lifecycle of 24 months. The lower
> validity period ensures CAB Forum and industry changes take less time to
> implement (fewer MD5/SHA1 situations), and we encourage more frequent
> rekeying and validation.
> On the other hand, we are only about to lower the maximum to 39 months.
> Considering the opposition to the 39 month limit, I expect getting a
> consensus will be very difficult.  Also, server operators with a medium
> amount of certs might be significantly hurt since they would be doing cert
> changes more regularly and, unlike many large organizations, might not have
> automated processes.
> Therefore extending EV to 39 months might be more reasonable.  Extending
> EV to 39 months will help promote EV adoption and put EV on equal footing
> with OV/DV.  Of course, this would extend the validation time by a year.
> One way to deal with this extra time is adopt the Mozilla approach and
> require revalidation every X months (where X is mostly likely 13).  If the
> validation fails, the cert would be revoked. I’m not a big fan of this
> revalidation approach since there’s no affirmative act that signals the
> revalidation occurred (such as issuance) and there’s a strong incentive to
> simply let the cert stand. Plus, it’ll require some reworking for many CAs
> to ensure validation is tied to a timeframe (13 months) instead of an event
> (issuance). Although revalidation will be covered in the audits, we might
> just recognize that the validation will only happen every 39 months and go
> with that.
> Thoughts?
> Jeremy

Thanks for circling this again.

As mentioned during the F2F, we're supportive of 24/27 months, but not of
extending EV to 39 months.

I understand the desire to make EV "appealing" - but as I've noted
elsewhere, this doesn't inherently mean a security improvement. Indeed, I'd
argue that the current EV lifetime is one of the few things where EV *is* a
security improvement over DV/OV and thus potentially deserving of it's
special UI status. Other bits include in Chrome the requirement for
Certificate Transparency disclosure and may include minimum TLS and
ciphersuite requirements or OCSP stapling. [1]

The argument for putting EV on equal footing with OV/DV doesn't really hold
sway. I don't think Browsers are particularly keen to make a product
offering more marketable, nor is it an intrinsic argument against a
requirement that "Customer's may not want this product line", which is why
the value of 39 months for EV is not clear.

So a HUGE +1 towards 24 months for DV/OV
And a HUGE -1 towards 39 months for EV.

I would say that even if 39 months for EV were to pass, unless there was
significant evidence to suggest and demonstrate how doing so would improve
security in tangible ways (beyond making a piece of UI appear), it's likely
that Chrome would not grant such UI. I'm not trying to say this to shut
down the discussion - but to emphasize how important it is that we think
there's an extremely high bar for such a relaxation.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150319/2714baa9/attachment-0003.html>

More information about the Public mailing list