[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Josh Aas josh at letsencrypt.org
Wed Feb 1 13:45:07 UTC 2017 

I would still endorse at 13 months.

On Tue, Jan 31, 2017 at 9:22 PM, Ryan Sleevi via Public
<public at cabforum.org> wrote:
>
>
> On Tue, Jan 31, 2017 at 9:15 PM, Andrew Ayer <andrew at sslmate.com> wrote:
>>
>> On Tue, 31 Jan 2017 20:37:19 -0800
>> Ryan Sleevi via Public <public at cabforum.org> wrote:
>>
>> > Except what we're seeing is that subscribers aren't renewing annually
>> > - they're renewing every 13 months (or 27 or 39).
>> >
>> > That is, it's unclear that the practical benefit of the buffer is
>> > there, but it'd be great to understand if something is being missed.
>> >
>> > Put differently, why cant CAs begin reaching out to their customers
>> > one month before it expires (e.g. on month 11)? What makes month 12
>> > more special than month 11, from the perspective of the
>> > customer/subscriber/applicant?
>> >
>> > For that matter, it would seem like 12 months is *more* customer
>> > friendly, because then they can get into an annual habit of replacing
>> > their cert. If it were 13 months, and CAs continued the current
>> > practice of notifying at some point of (T-1 month / T-2 months), then
>> > every year, the subscriber will be installing the cert one month
>> > later - until suddenly they find themselves in that
>> > November/December/January "production freeze" and find themselves
>> > scrambling.
>>
>> To avoid the expiration date drifting every year, a renewed
>> certificate's notAfter date must be exactly one year after the current
>> certificate's notAfter date.  With a 12 month limit, the CA could only
>> do this by issuing the renewed certificate exactly when the current
>> certificate expires, which is clearly unworkable since it allows no
>> time for cutover.
>>
>> In contrast, a 13 month limit would allow a CA to issue the renewed
>> certificate up to one month before the current certificate expires,
>> with a validity period between 12 and 13 months as necessary to make
>> the expiration date sync up.  This is far friendlier.
>>
>> Regards,
>> Andrew
>
>
> Ah, right, that's the bit I was missing. Thanks for highlighting that.
>
> Jeremy, if this were updated to 13 months, would you be willing to endorse?
> Josh, would the delta of a month cost us ISRG's endorsement?
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>



-- 
Josh Aas
Executive Director
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA

More information about the Public mailing list