[cabfpub] A question about BR Section 6.3.2

Ryan Sleevi sleevi at google.com
Wed Dec 20 15:57:13 UTC 2017

There is no requirement in the CA/Browser Forum at present to require
regular key rotation, nor is there a way for that to be verifiably
implemented across all CAs, as any subscriber can present a preexisting
keypair to another CA.

So no. The limit is to the lifetime of the certificate and the reuse of
validation information.

Changing keys frequently is not a function of the key strength, but a
function of pragmatic key protections. Shorter-lifetime keys, such as 90
days, coupled with automated issuance, appropriately balance the realities
of clock skew in clients versus the practical challenges of meaningful key
protection on Internet-enabled systems.

On Wed, Dec 20, 2017 at 10:45 AM, 陳立群 via Public <public at cabforum.org>

> My colleague wants to ask that from BR 6.3.2 Certificate Operational
> Periods and Key Pair Usage Periods,
> "Subscriber Certificates issued after 1 March 2018 MUST have a Validity
> Period no greater than 825 days."
> Does the life time of every key pair of OV/DV/IV SSL certificate have to
> be no greater than 825 days after March 2018?
> Not only the discussion about revalidate domain name ownership or OV, IV,
> or processing like SHA-1 sunset issues to shorten the validity. The
> customer should change their RSA 2048 bits key pairs frequently. Right?
> Thanks.
>   Li-Chun Chen
> 本信件可能包含中華電信股份有限公司機密資訊,非指定之收件者,請勿蒐集、處理或利用本信件內容,並請銷毀此信件.
> 如為指定收件者,應確實保護郵件中本公司之營業機密及個人資料,不得任意傳佈或揭露,並應自行確認本郵件之附檔與超連結之安全性,
> 以共同善盡資訊安全與個資保護責任.
> Please be advised that this email message (including any attachments)
> contains confidential information and may be legally privileged. If you are
> not the intended recipient, please destroy this message and all attachments
> from your system and do not further collect, process, or use them. Chunghwa
> Telecom and all its subsidiaries and associated companies shall not be
> liable for the improper or incomplete transmission of the information
> contained in this email nor for any delay in its receipt or damage to your
> system. If you are the intended recipient, please protect the confidential
> and/or personal information contained in this email with due care. Any
> unauthorized use, disclosure or distribution of this message in whole or in
> part is strictly prohibited. Also, please self-inspect attachments and
> hyperlinks contained in this email to ensure the information security and
> to protect personal information.
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20171220/cd527f5e/attachment-0003.html>

More information about the Public mailing list