[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Thu Feb 2 15:21:54 MST 2017


On Thu, Feb 2, 2017 at 6:17 AM, García Jimeno, Oscar <o-garcia at izenpe.eus>
wrote:

> It’s clear that customers (normally) prefer to have more usability and
> sacrifice some security; they don’t want to have to renew all their
> certificates every year. I suppose this situation is the same for every
> CAs. Of course we need to think about security, that’s because in Izenpe we
> have defined a policy where we need to validate all documents every time,
> it doesn’t matter if it’s a new application or a renovation. And it’s not
> the same a DV than an EV, validations for EVs as you know are much harder.
> If we force all clients to renew all their certificates every year,
> probably they would request DVs or OVs instead of EV, because they are
> easier to get. Therefore I think we would reduce security, reducing the
> quality of certificates.  One possible intermediate solution would be to
> limit the lifetime of all certificates to 27 months, and restrict some more
> the reuse of validation information (ballot 186).
>

Your data largely speaks to "How the world is" - but it's not fair or
reasonable to use that data to conclude things are better simply because
they are that way.

That is, put differently, just because there are thousands upon thousands
of people dying every day, we don't say that's a good state. We have to
more carefully look at why. So I appreciate you sharing the data, but I
don't think it really helps objectively move the discussion forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170202/86de88c9/attachment.html>


More information about the Public mailing list