[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Mon Feb 6 15:54:07 MST 2017

Doug,

I don't think it's particularly useful to continue the thread, especially
with the email client you're using, as it makes it increasingly difficult
to reply. It also means that each one of our e-mails is going to continue
to get longer as I try to re-explain each of the problems with your
arguments.

I'll again try to briefly recap your salient points:

- While I appreciate the offer for the F2F discussion, we've been
discussing this for 3 years now. I think we've reasonably exhausted the new
information available to share here, and should recognize we may simply
need to agree to disagree, and vote accordingly.
- You've misunderstood how CAA works, both within policy and
technologically. I'm happy to help correct that understanding of CAA on a
separate thread if you'd like, but I don't think it's worth continuing on
this thread if we want to have a productive discussion of the topic at hand
(and not get lost in the weeds)
- Similarly, your remarks regarding Google checking CAA (or not) ignore the
larger policy, and attempt to incorrectly frame both the historical context
and the practical implementation. This likely stems from the above
misunderstanding of CAA, which is, again, better corrected separately.
- Your reference to Rob's arguments regarding revocation vs expiration fail
to understand how both are implemented, practically speaking, and of the
issues. It would be best to address that thread of thinking separately (as
Rob thankfully has), but again, I suspect this may be an intentional
misunderstanding.
- Regarding your understanding of SHA-1, I'm not sure how much more I can
share with you in a way that doesn't simply involve pointing out that
you're wrong. I mean that constructively, but again, by attempting to posit
it as an RP problem, you're intentionally ignoring the data shared by
multiple browser vendors, you're ignoring our priorities regarding user
experience, and you're ignoring the reality of how it actually played out.
It's unclear whether this is intentional or whether you're
misunderstanding, but I'm trying to make it clear that you're empirically
incorrect about how SHA-1 played out, and that you're empirically wrong
about the user impact. Quite simply, how SHA-1 was handled is not an
acceptable way to handle future deprecations for CAs that wish to remain
trusted, full stop.
- To your points about future improvements, I feel at this point my fingers
are getting numb pointing out the many ways in which these validity periods
improve the ecosystem. Your assertions about CT, CAA, and SHA-1 are based
in a misunderstanding, and you're ignoring all of the other discussions for
which the Forum has (and continued) to spin its wheels on. Perhaps it's
that you've simply not read the replies, but hopefully something like
https://cabforum.org/pipermail/public/2017-February/009475.html will help
better inform on the perspective I'm sharing here.

I appreciate your offer of extending to 18-27 months, but you have yet to
share any meaningful data to support that, so I must respectfully decline.
I believe this is a similar situation as with CAA, and the replies in
https://cabforum.org/pipermail/public/2017-January/009304.html and
https://cabforum.org/pipermail/public/2017-January/009308.html are probably
relevant here in explaining why such a compromise, however appealing, is
unsound on both technical and policy grounds. It's likely related to the
similar technical misunderstanding, but I'm not sure how we can
meaningfully progress here.

As I want to suggest concrete action items:
- Perhaps it would be useful in the Forum to explain why the SHA-1
deprecation was a bad deprecation, as far as deprecations go, and why it's
bad for the Internet and for users to approach it the way CAs did.
- Perhaps it would be useful to hold an educational section on CAA, similar
to our last F2F, as it appears there's some critical misunderstanding here.

How does that sound? If others don't feel it's useful, I'd be happy to set
some time aside to work through separately with you to explain the
misunderstandings and hopefully work through your confusion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170206/9ab92ec7/attachment.html>