[cabfpub] Certificate validity periods

Rich Smith richard.smith at comodo.com
Thu Mar 31 12:24:07 UTC 2016

On 3/30/2016 3:04 PM, Jeremy Rowley wrote:
> Thanks Rich -- comments are in-line
> *From:*public-bounces at cabforum.org 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Rich Smith
> *Sent:* Wednesday, March 30, 2016 10:32 AM
> *To:* public at cabforum.org
> *Subject:* Re: [cabfpub] Certificate validity periods
> Jeremy,
> I'm not sure Comodo would support any change at this point, but if we 
> were to change I'd like to propose, let's call it 1c;
> Set all max validity to 27 months; Require re-validation for all at 27 
> months.
> {JR} I'd be okay with that. In fact, I like the proposal.
> I'm against your proposal of 1a for the same reasons I don't like 
> 27/13 for EV  It puts us in position of having to redo validation of a 
> replacement request by the customer.  In this case, the customer would 
> get the DV or OV for 27 months, be able to replace at will, renew the 
> cert for an additional 27 months, but be subject to revalidatiion half 
> way through the 2nd when trying to get a replacement/re-issuance.  
> This is bad enough with EV already, and I'm very much against 
> extending it to OV/DV.  If we can't find a reasonable path to match up 
> the re-validation requirement with max validity then I'm against 
> making any changes.
> {JR} 1a was the opposite. It was have validation good for 39 months 
> and just require reissuance of the cert every 2 years.
[RWS] I got that, but it still puts the limit on previous verification 
into the middle of a term of certificate validity so it amounts to the 
same problem we have now with EV, just during the 2nd order rather than 
the first.
> From the customer perspective, they expect to have to jump through 
> hoops at the point of placing a new order.  We don't generally get 
> push back on that.  What they don't expect, and what it is very 
> difficult to make them understand is having to jump through the hoops 
> again during the validity period of the same order.  The customer 
> doesn't understand these requirements and it causes a bad customer 
> experience, for which they blame the CA.
> {JR} No hoops. Well, no different hoops than before. It just shortens 
> the validity period of certs, permitting faster changes in industry 
> standards and encouraging key reuse. Fair note that I will likely 
> eventually ask for some limits on key reuse at some point...
> -Rich
> On 3/30/2016 11:04 AM, Jeremy Rowley wrote:
>     Hi everyone,
>     I'd like to resurface the certificate validity period discussion
>     and see if there is a way to move this forward.  I'm still keen on
>     seeing a standardized maximum validity period for all certificate
>     types, regardless of whether the certificate is DV, OV, or EV. I
>     believe the last time this was discussed, we reached an impasse
>     where the browsers favored a shorter validity period for OV/DV and
>     the CAs were generally supportive of a longer-lived EV certificate
>     (39 months). The argument for a shorter validity period were 1)
>     encourages key replacement, 2) ensures validation occurs more
>     frequently, 3) deters damage caused by key loss or a change in
>     domain control, and 4) permits more rapid changes in industry
>     standards and accelerates the phase-out of insecure practices. The
>     argument for longer validity periods: 1) customers prefer longer
>     certificate validity periods, and 2) the difficulty in frequent
>     re-validation of information.
>     So far, there seems to be two change proposals with a couple of
>     variations:
>     1)Set all certificate validity periods to no more than 27 months
>     a.Require re-validation of information for OV/DV certificates at
>     39 months OR
>     b.Require re-validation of information for all certs at 13 months
>     2)Set all certificate validity periods to 39 months
>     a.Require re-validation every 13 months
>     b.Require re-validation of information for OV/DV certificates at
>     39 months
>     What are the objections to 1a? With all the automated installers
>     abounding, 1a seems to capture the simplicity and customer
>     convenience of 39 months with the advantages of shorter-lived
>     certs. Who would oppose/endorse a ballot that does one of these?
>     Jeremy
>     _______________________________________________
>     Public mailing list
>     Public at cabforum.org  <mailto:Public at cabforum.org>
>     https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160331/e7ebd513/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4035 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160331/e7ebd513/attachment-0001.p7s>

More information about the Public mailing list