[cabfpub] [EXT] Re: Ballot 194 – Effective Date of Ballot 193 Provisions

Ryan Sleevi sleevi at google.com
Mon Apr 3 22:11:05 UTC 2017

Hi Steve,

Apologies if I've misunderstood your response, but I think you've still
failed to answer my question. I've tried to restate my question, in the
event it was not clear.

What changes, for a CA operator or a site operator, if it's pushed back to
March 1, 2018 versus April 22, 2017?

As I see it, a request comes in, whether on March 1 or April 22, and you
(the CA) need to check whether you have comprehensive data revalidated at
an appropriate time. On either day, it's possible that the last time the
customer requested a certificate, it will have been outside the 2Y window.
This is no different than the act of issuing a new certificate - that is,
assuming you're actually validating certificate requests and their data
before issuing the certificate, something not all CAs may be doing.

Perhaps you mean there's a friction involved in issuing a new certificate,
which is reduced the more certificates are reissued, by amortizing the
validation. While I can understand the desire not to revalidate
information, it's worth highlighting that it serves as a very effective way
for CAs to introduce market friction into switching CAs, by allowing the
current CA of record (who has already validated the information) to issue
the certificate with less work than their competitors (who must validate it
as a new request). I would hope that's not your intent to suggest that is a
useful or desirable property, given our antitrust statement, and I would
also hope we should acknowledge it as an undesirable restriction on the

Perhaps you had a different reason in mind, though, and I hope you can
clearly articulate it, if so.

I don't think I've understated any impact. Whether on April 22, 2017 or
March 1, 2018, existing customers will approach their CA and request new
certificates. On those days, the CA will find some subset of their users
that they need to revalidate. It's not all of their existing certificates.
It's not all of their existing users. It's a portion of users that the CA
hasn't had contact with for three years. That population doesn't change.

Perhaps your implied message is that by deferring it later, CAs can reach
out to their customers and let them know and prepare/explain to them the
costs. But we've also heard - particularly from Symantec - that no matter
how much outreach goes on, customers fail to be prepared. See the SHA-1
exception process, the 1024-bit misissuance, and the failure of sub-CAs as
all cases where Symantec indicated that it was caused by an inability to
communicate with their customer and prepare them for the transition, thus
business-critical systems were affected, hence the misissuance was

Symantec has also demonstrated it's capable of sending emails to every
customer in light of upcoming changes - I can think of several recently -
so I'm not sure I understand your objection there either, if that was it.
Does the need to revalidate information change what the customer can or
needs to do, especially given it only affects the population of users
renewing certificates? Why? How do you quantify that? If there is impact,
how is it justified to be March 1, 2018, versus say May 1, 2017? What
difference does the additional time make, why, and how is that justified
compared to the security benefits and increased market flexibility the
proposal, as currently adopted, brings?

On Mon, Apr 3, 2017 at 5:46 PM, Steve Medin <Steve_Medin at symantec.com>

> My point is that they do. A lot. It pays bills and employs people. It
> causes an industry.
> It understates the day to day effort in operating a CA to dismiss the
> impact that the site operator needs to apply.
> The rest of the message does indeed apply on April 22, and some CAs will
> need to scramble to operate that day.
> *From:* Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Monday, April 03, 2017 1:00 PM
> *To:* Steve Medin <Steve_Medin at symantec.com>
> *Cc:* CA/Browser Forum Public Discussion List <public at cabforum.org>
> *Subject:* Re: [EXT] Re: [cabfpub] Ballot 194 – Effective Date of Ballot
> 193 Provisions
> On Mon, Apr 3, 2017 at 3:57 PM, Steve Medin <Steve_Medin at symantec.com>
> wrote:
> On April 22, nearly one third of the authentication databases of all
> certificate authorities is invalidated. All data currently held from work
> done between 825 days and 39 months ago is wiped from use when it could
> have been consumed until March 1 if 193 was written as Chris seems to have
> intended.
> But that doesn't matter unless someone applies for a certificate.
> You don't need to reissue all of those certificates. Only ones which are
> expired and/or need to be reissued.
> This exact same problem would occur on March 1, 2018. Literally everything
> else in your message still applies, so please help me understand what makes
> this different at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170403/230e0e79/attachment-0003.html>

More information about the Public mailing list