[cabfpub] Lifecycle of EV certs

Doug Beattie doug.beattie at globalsign.com
Wed Mar 25 21:39:31 UTC 2015

I haven’t heard a compelling need to align the validity of EV with OV/DV other than “consistency”.  I’m perfectly happy doing different things for different products (as we do today) and don’t feel that alignment is necessary or warranted.  Is something busted with 39 month DV/OV or with 27 month EV?  What are we trying to accomplish?

If we start go do this road will SCTs, CAA, OCSP Stapling, wildcard certs, etc. start to modify the age of Certificate Data or the max validity period?  If we have a security issue or concern and want to adjust the max validity period, let’s discuss it, but making change for consistency is not a worthwhile endeavor, imho.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of kirk_hall at trendmicro.com
Sent: Tuesday, March 24, 2015 2:50 PM
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] Lifecycle of EV certs

Chris Bailey and I have discussed this topic, and our preferences would be as follows:

(1) Make the permitted lifetime of all SSL certs (EV, OV, and DV) certs the same – whether 1, 2, or 3 years.  Our preference would be 3 years (actually, 39 months), but we would settle for 2 years (actually, 27 months) for all certs.  That makes for consistency, and puts the focus on the quality of the issuance process among the three cert types, without changing the permitted validity periods.

(2) Make the revetting rules the same for EV, OV, and DV – each type of cert is vetted in a different manner, so we should make the frequency of revetting the same for the sake of consistency (just once, at the time of issuance).  So even if EV certs are issued for 2 or 3 years, we not require interim revetting by the CA at 12 month periods with revocation if the interim revetting can’t be completed successfully.  One vetting for the EV cert validity period is enough.

Here is our reasoning.

·        On maximum cert lifetime as well as revetting frequency for EV certs: In our experience the validity of an earlier EV vetting virtually never changes after 12 months – the business is the same, etc.  So why force more frequent revetting and issuance for EV certs, where the customer has already taken the extra vetting steps for stronger EV authentication at the start (as compared to an OV cert or DV cert owner)?

·        The EV Guidelines already allow some reuse of EV vetting data under EVGL 11.14.3, and we are not aware of any problems this  has caused.

·        Some have validly pointed out that technical cert requirements change over time, which argues for shorter term validity for all certificate types.  We agree with that consideration, and were in strong support of the Forum’s earlier decision to shorten maximum DV and OV certificate validity to 3 years.  In general, we think 3 years is a reasonable transition time for most changes in certificate technical standards (so that the CA can wait until renewal of the cert to move to the new technical standard for that customer).  However, if a critical technical issue arises (such as SHA-1 deprecation) that requires a faster transition, we have already seen that CAs and customers can complete reissue and installation of updated certs in a compressed timeframe.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro


The information contained in this email and any attachments is confidential

and may be subject to copyright or other intellectual property protection.

If you are not the intended recipient, you are not authorized to use or

disclose this information, and we request that you notify us by reply mail or

telephone and delete the original message from your mail system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150325/5d5bddc7/attachment-0003.html>

More information about the Public mailing list