[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Dean Coclin Dean_Coclin at symantec.com
Wed Feb 8 17:17:34 MST 2017 

Reviewing the mins from meeting 35 (which I vividly recall chairing), I note:

Ryan proposed annual revetting for domain and every second year for organization. Do domain revalidation every year in case the domain has ceased. If something changes, you have to revoke that certificate.
If I want to be evil and shady, I can block revocation information for users accessing the site. Revocation checking that doesn’t work makes a longer certificate validity period a higher risk. 2 years lifetime constrains the upper bounds. Pushing out to 3 year potentially means that the certificate no longer properly warrants who the domain holder is. Decreased validity periods or requirement for OCSP stapling could fix that (or we could fix the revocation problem).
Ryan is concerned with domain revalidation when change of domain ownership takes place. If I sell you sleevie.com I can still get certificates for it the next 39 months.
This goes back to what we are trying to do with CT – if we buy sleevie.com we would like to know what certificates are out there lurking. CT is talking about what happened in the past.
The CAs in this room to pretty interesting experiments on how to do domain control validation. It could be a trade off, do the identity validation for longer periods and then the domain control validation for a much shorter period.
Different proposals for certificate validity periods came up based on different arguments:
Type

Today

Tim

Wayne

Ryan

Eddy

NN

DV

3

1

3

2

1

2

OV

3

2

3

2

2

3

EV

2

3

3

2

3

3



Ryan-your proposal at the time was a 2 year max validity for all certs. What specifically has changed your thinking since the meeting? Is it just, shorter is better?

Also, the ballot has an implementation of less than 4 months from now. With CAs working on CT for all cert types, vetting changes and likely CAA, roadmaps are filled for probably several quarters. Given the prior lead time given for CT for EV was longer, I’m surprised that there is a belief this can be accomplished in 4 months.

Lastly, a large amount of customers request 2-3 year certs, not because the CA wants to “lock them in” but because their applications or business processes are set up that way. Sure, we as partners in the ecosystem can effect changes but not in 4 months.

A major change like this requires a broader user input which isn’t going to happen on this list. Several CAs have started polling their customers for data and it will take some time to gather and present this. I suggest we set as a goal, a presentation at the March F2F by as many CAs that can gather data.

Thanks


From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Saturday, February 4, 2017 8:25 AM
To: Eric Mill <eric at konklone.com>
Cc: Ryan Sleevi <sleevi at google.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates



On Fri, Feb 3, 2017 at 8:02 PM, Eric Mill <eric at konklone.com<mailto:eric at konklone.com>> wrote:
This ballot (to me, anyway) came out of nowhere without any prior discussion focused on a potential ballot, and it's a big change from the status quo on the CA side, so I can understand why it's caused a strong reaction.

Just for context, past discussions include

https://cabforum.org/pipermail/public/2016-March/007106.html<https://clicktime.symantec.com/a/1/2J2vVzuTNL0xJNtWomo0Q9aDstwhBAW41fJQJvIpcG8=?d=O15yK2tZr6IM_dP9P3FpuBMSGvoEh4HOKvSAmyrqaHYpKRrsnEhlYMrvjIsh8q-cEHPRfGc_PrIIi9xB9nbFWngRQmtApZ_z3rHxvXYKLhRqrh5f-jTZbvcxcHNyRUNk1aOMC-9rzlAZP-RrxZomvnc7feubxYIuHn-F3_gmhhcCsrfiFLy_9rLTb2ZJmBPGK-JaolqMvSW7nMAtGBa8TLX_7sRg8YCjga5S_oFwiKGZkHNhnuLc2jIU52MC7NiB5eDNmRbKyWuP9ECUMAZwkCB6fURT3ekEbwGFwJYcxtrZpNM7ahP2yJmsLUdPtnxT1HbnOmnTh9qa59E4tNKwm-NqvMNK1QBpU6wYjYaR7R1ZkyNG9xjNBZr0eFLwye87VUNCbnN6g8UBkyJu1KDcgphvMG6ncN8cl_5VJybkCsx98aRf40xDhmKAaCLI4rGCzGJnx72LRxM%3D&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fpublic%2F2016-March%2F007106.html>
https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/<https://clicktime.symantec.com/a/1/uMRTtdYtQEmN8QXQOKN7J3xTVj-VB6vlIdbbRP3oi-0=?d=O15yK2tZr6IM_dP9P3FpuBMSGvoEh4HOKvSAmyrqaHYpKRrsnEhlYMrvjIsh8q-cEHPRfGc_PrIIi9xB9nbFWngRQmtApZ_z3rHxvXYKLhRqrh5f-jTZbvcxcHNyRUNk1aOMC-9rzlAZP-RrxZomvnc7feubxYIuHn-F3_gmhhcCsrfiFLy_9rLTb2ZJmBPGK-JaolqMvSW7nMAtGBa8TLX_7sRg8YCjga5S_oFwiKGZkHNhnuLc2jIU52MC7NiB5eDNmRbKyWuP9ECUMAZwkCB6fURT3ekEbwGFwJYcxtrZpNM7ahP2yJmsLUdPtnxT1HbnOmnTh9qa59E4tNKwm-NqvMNK1QBpU6wYjYaR7R1ZkyNG9xjNBZr0eFLwye87VUNCbnN6g8UBkyJu1KDcgphvMG6ncN8cl_5VJybkCsx98aRf40xDhmKAaCLI4rGCzGJnx72LRxM%3D&u=https%3A%2F%2Fcabforum.org%2F2016%2F02%2F17%2F2016-02-17-minutes-of-f2f-meeting-37%2F>
https://cabforum.org/2015/10/07/2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul/#Certificate-Validity-Periods<https://clicktime.symantec.com/a/1/zZD0rUu3osOhMrDcFp946aizPQrNLkVM_aCNqUeqPco=?d=O15yK2tZr6IM_dP9P3FpuBMSGvoEh4HOKvSAmyrqaHYpKRrsnEhlYMrvjIsh8q-cEHPRfGc_PrIIi9xB9nbFWngRQmtApZ_z3rHxvXYKLhRqrh5f-jTZbvcxcHNyRUNk1aOMC-9rzlAZP-RrxZomvnc7feubxYIuHn-F3_gmhhcCsrfiFLy_9rLTb2ZJmBPGK-JaolqMvSW7nMAtGBa8TLX_7sRg8YCjga5S_oFwiKGZkHNhnuLc2jIU52MC7NiB5eDNmRbKyWuP9ECUMAZwkCB6fURT3ekEbwGFwJYcxtrZpNM7ahP2yJmsLUdPtnxT1HbnOmnTh9qa59E4tNKwm-NqvMNK1QBpU6wYjYaR7R1ZkyNG9xjNBZr0eFLwye87VUNCbnN6g8UBkyJu1KDcgphvMG6ncN8cl_5VJybkCsx98aRf40xDhmKAaCLI4rGCzGJnx72LRxM%3D&u=https%3A%2F%2Fcabforum.org%2F2015%2F10%2F07%2F2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul%2F%23Certificate-Validity-Periods>
https://cabforum.org/2015/06/24/2015-06-24-face-to-face-meeting-35-minutes/<https://clicktime.symantec.com/a/1/_kRR0OElBjN9aS0ajOZyogMwHHNQaS4ibS757sqb9Xk=?d=O15yK2tZr6IM_dP9P3FpuBMSGvoEh4HOKvSAmyrqaHYpKRrsnEhlYMrvjIsh8q-cEHPRfGc_PrIIi9xB9nbFWngRQmtApZ_z3rHxvXYKLhRqrh5f-jTZbvcxcHNyRUNk1aOMC-9rzlAZP-RrxZomvnc7feubxYIuHn-F3_gmhhcCsrfiFLy_9rLTb2ZJmBPGK-JaolqMvSW7nMAtGBa8TLX_7sRg8YCjga5S_oFwiKGZkHNhnuLc2jIU52MC7NiB5eDNmRbKyWuP9ECUMAZwkCB6fURT3ekEbwGFwJYcxtrZpNM7ahP2yJmsLUdPtnxT1HbnOmnTh9qa59E4tNKwm-NqvMNK1QBpU6wYjYaR7R1ZkyNG9xjNBZr0eFLwye87VUNCbnN6g8UBkyJu1KDcgphvMG6ncN8cl_5VJybkCsx98aRf40xDhmKAaCLI4rGCzGJnx72LRxM%3D&u=https%3A%2F%2Fcabforum.org%2F2015%2F06%2F24%2F2015-06-24-face-to-face-meeting-35-minutes%2F>
https://cabforum.org/2013/11/21/2013-11-21-minutes/<https://clicktime.symantec.com/a/1/XLiIOfpcrncbCxW1UkGp2l5eoDsiEaQ-g5Z90IaeQ2c=?d=O15yK2tZr6IM_dP9P3FpuBMSGvoEh4HOKvSAmyrqaHYpKRrsnEhlYMrvjIsh8q-cEHPRfGc_PrIIi9xB9nbFWngRQmtApZ_z3rHxvXYKLhRqrh5f-jTZbvcxcHNyRUNk1aOMC-9rzlAZP-RrxZomvnc7feubxYIuHn-F3_gmhhcCsrfiFLy_9rLTb2ZJmBPGK-JaolqMvSW7nMAtGBa8TLX_7sRg8YCjga5S_oFwiKGZkHNhnuLc2jIU52MC7NiB5eDNmRbKyWuP9ECUMAZwkCB6fURT3ekEbwGFwJYcxtrZpNM7ahP2yJmsLUdPtnxT1HbnOmnTh9qa59E4tNKwm-NqvMNK1QBpU6wYjYaR7R1ZkyNG9xjNBZr0eFLwye87VUNCbnN6g8UBkyJu1KDcgphvMG6ncN8cl_5VJybkCsx98aRf40xDhmKAaCLI4rGCzGJnx72LRxM%3D&u=https%3A%2F%2Fcabforum.org%2F2013%2F11%2F21%2F2013-11-21-minutes%2F>
https://cabforum.org/pipermail/public/2013-November/002479.html<https://clicktime.symantec.com/a/1/ASON9TOoF3YjcdRltHlusEklsqvztoZnFS3ZWNyeVYE=?d=O15yK2tZr6IM_dP9P3FpuBMSGvoEh4HOKvSAmyrqaHYpKRrsnEhlYMrvjIsh8q-cEHPRfGc_PrIIi9xB9nbFWngRQmtApZ_z3rHxvXYKLhRqrh5f-jTZbvcxcHNyRUNk1aOMC-9rzlAZP-RrxZomvnc7feubxYIuHn-F3_gmhhcCsrfiFLy_9rLTb2ZJmBPGK-JaolqMvSW7nMAtGBa8TLX_7sRg8YCjga5S_oFwiKGZkHNhnuLc2jIU52MC7NiB5eDNmRbKyWuP9ECUMAZwkCB6fURT3ekEbwGFwJYcxtrZpNM7ahP2yJmsLUdPtnxT1HbnOmnTh9qa59E4tNKwm-NqvMNK1QBpU6wYjYaR7R1ZkyNG9xjNBZr0eFLwye87VUNCbnN6g8UBkyJu1KDcgphvMG6ncN8cl_5VJybkCsx98aRf40xDhmKAaCLI4rGCzGJnx72LRxM%3D&u=https%3A%2F%2Fcabforum.org%2Fpipermail%2Fpublic%2F2013-November%2F002479.html>

Basically, the Forum's been talking about it for quite some time. The reactions and responses to Ballot 111 are fairly telling, in that we see many of the same responses from the same members, three years later, and nothing has changed.

I realize the proposition of the Ballot itself may be seen as "out of the blue", but the fact how many incidents in 2017 alone where we've discovered new misissuance, or we've discovered audit irregularities, provide ample evidence that the current ecosystem and incentives are not aligned with security. This is but one step in a positive direction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170209/58f830e1/attachment-0001.html>

More information about the Public mailing list