[cabfpub] Certificate validity periods

[Doug Beattie]

Sorry - please ignore that last email, it was intend for the Validation working group list.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Doug Beattie
Sent: Wednesday, March 30, 2016 12:32 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; public at cabforum.org
Subject: Re: [cabfpub] Certificate validity periods

I made the new options sections, vs. a numbered list.  Changes tracked.

I'm OK with the reminder.

Doug

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Wednesday, March 30, 2016 12:04 PM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Certificate validity periods

Hi everyone,

I'd like to resurface the certificate validity period discussion and see if there is a way to move this forward.  I'm still keen on seeing a standardized maximum validity period for all certificate types, regardless of whether the certificate is DV, OV, or EV. I believe the last time this was discussed, we reached an impasse where the browsers favored a shorter validity period for OV/DV and the CAs were generally supportive of a longer-lived EV certificate (39 months). The argument for a shorter validity period were 1) encourages key replacement, 2) ensures validation occurs more frequently, 3) deters damage caused by key loss or a change in domain control, and 4) permits more rapid changes in industry standards and accelerates the phase-out of insecure practices. The argument for longer validity periods: 1) customers prefer longer certificate validity periods, and 2) the difficulty in frequent re-validation of information.

So far, there seems to be two change proposals with a couple of variations:


1)      Set all certificate validity periods to no more than 27 months

a.      Require re-validation of information for OV/DV certificates at 39 months OR

b.      Require re-validation of information for all certs at 13 months

2)      Set all certificate validity periods to 39 months

a.      Require re-validation every 13 months

b.      Require re-validation of information for OV/DV certificates at 39 months

What are the objections to 1a? With all the automated installers abounding, 1a seems to capture the simplicity and customer convenience of 39 months with the advantages of shorter-lived certs. Who would oppose/endorse a ballot that does one of these?

Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160330/9f64ac3b/attachment-0003.html>