[cabfpub] Certificate validity periods

Gervase Markham gerv at mozilla.org
Wed Mar 30 20:20:40 UTC 2016

On 30/03/16 13:11, Jeremy Rowley wrote:
> I’m not so sure a lack of desire to change code is a great reason to
> avoid something that increases security. However, I do like the 27/27
> proposal as a great step forward. Are the browsers opposed to 27/27? The
> only thing in EV really impacted by the longer validity times is domain
> validation thanks to the reuse section of the EV Guidelines. 

What does 27/27 make longer? EV vetting validity periods?

Thing is, if you set a max validity period for vetting, and say that the
renewal has to happen within that period, then your actual max validity
is 2N - 1 i.e. for 27 month validity, it's 26 + 27 = 53, because people
can renew for the maximum period one month before the deadline.

If we said 27/27, where the second 27 meant that the _notAfter_ date (as
opposed to notBefore) could never be more than 27 months after the
vetting, that would be much better.


More information about the Public mailing list