[cabfpub] Lifecycle of EV certs

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Mar 24 18:50:27 UTC 2015

Chris Bailey and I have discussed this topic, and our preferences would be as follows:

(1) Make the permitted lifetime of all SSL certs (EV, OV, and DV) certs the same - whether 1, 2, or 3 years.  Our preference would be 3 years (actually, 39 months), but we would settle for 2 years (actually, 27 months) for all certs.  That makes for consistency, and puts the focus on the quality of the issuance process among the three cert types, without changing the permitted validity periods.

(2) Make the revetting rules the same for EV, OV, and DV - each type of cert is vetted in a different manner, so we should make the frequency of revetting the same for the sake of consistency (just once, at the time of issuance).  So even if EV certs are issued for 2 or 3 years, we not require interim revetting by the CA at 12 month periods with revocation if the interim revetting can't be completed successfully.  One vetting for the EV cert validity period is enough.

Here is our reasoning.

*         On maximum cert lifetime as well as revetting frequency for EV certs: In our experience the validity of an earlier EV vetting virtually never changes after 12 months - the business is the same, etc.  So why force more frequent revetting and issuance for EV certs, where the customer has already taken the extra vetting steps for stronger EV authentication at the start (as compared to an OV cert or DV cert owner)?

*         The EV Guidelines already allow some reuse of EV vetting data under EVGL 11.14.3, and we are not aware of any problems this  has caused.

*         Some have validly pointed out that technical cert requirements change over time, which argues for shorter term validity for all certificate types.  We agree with that consideration, and were in strong support of the Forum's earlier decision to shorten maximum DV and OV certificate validity to 3 years.  In general, we think 3 years is a reasonable transition time for most changes in certificate technical standards (so that the CA can wait until renewal of the cert to move to the new technical standard for that customer).  However, if a critical technical issue arises (such as SHA-1 deprecation) that requires a faster transition, we have already seen that CAs and customers can complete reissue and installation of updated certs in a compressed timeframe.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150324/465a4db1/attachment-0003.html>

More information about the Public mailing list