[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Jeremy Rowley jeremy.rowley at digicert.com
Wed Feb 8 17:26:19 MST 2017


If this is the meeting I’m thinking of, we were there and expressed a vote of 2, 2, 2.

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin via Public
Sent: Wednesday, February 8, 2017 5:18 PM
To: CA/Browser Forum Public Discussion List <public at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Cc: Dean Coclin <Dean_Coclin at symantec.com>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

 

Reviewing the mins from meeting 35 (which I vividly recall chairing), I note:

 

Ryan proposed annual revetting for domain and every second year for organization. Do domain revalidation every year in case the domain has ceased. If something changes, you have to revoke that certificate.

If I want to be evil and shady, I can block revocation information for users accessing the site. Revocation checking that doesn’t work makes a longer certificate validity period a higher risk. 2 years lifetime constrains the upper bounds. Pushing out to 3 year potentially means that the certificate no longer properly warrants who the domain holder is. Decreased validity periods or requirement for OCSP stapling could fix that (or we could fix the revocation problem).

Ryan is concerned with domain revalidation when change of domain ownership takes place. If I sell you sleevie.com I can still get certificates for it the next 39 months.

This goes back to what we are trying to do with CT – if we buy sleevie.com we would like to know what certificates are out there lurking. CT is talking about what happened in the past.

The CAs in this room to pretty interesting experiments on how to do domain control validation. It could be a trade off, do the identity validation for longer periods and then the domain control validation for a much shorter period.

Different proposals for certificate validity periods came up based on different arguments:


Type

Today

Tim

Wayne

Ryan

Eddy

NN


DV

3

1

3

2

1

2


OV

3

2

3

2

2

3


EV

2

3

3

2

3

3

 

 

Ryan-your proposal at the time was a 2 year max validity for all certs. What specifically has changed your thinking since the meeting? Is it just, shorter is better?

 

Also, the ballot has an implementation of less than 4 months from now. With CAs working on CT for all cert types, vetting changes and likely CAA, roadmaps are filled for probably several quarters. Given the prior lead time given for CT for EV was longer, I’m surprised that there is a belief this can be accomplished in 4 months.

 

Lastly, a large amount of customers request 2-3 year certs, not because the CA wants to “lock them in” but because their applications or business processes are set up that way. Sure, we as partners in the ecosystem can effect changes but not in 4 months.

 

A major change like this requires a broader user input which isn’t going to happen on this list. Several CAs have started polling their customers for data and it will take some time to gather and present this. I suggest we set as a goal, a presentation at the March F2F by as many CAs that can gather data.


Thanks

 

 

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via Public
Sent: Saturday, February 4, 2017 8:25 AM
To: Eric Mill <eric at konklone.com <mailto:eric at konklone.com> >
Cc: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> >; CA/Browser Forum Public Discussion List <public at cabforum.org <mailto:public at cabforum.org> >
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

 

 

 

On Fri, Feb 3, 2017 at 8:02 PM, Eric Mill <eric at konklone.com <mailto:eric at konklone.com> > wrote:

This ballot (to me, anyway) came out of nowhere without any prior discussion focused on a potential ballot, and it's a big change from the status quo on the CA side, so I can understand why it's caused a strong reaction. 

 

Just for context, past discussions include

 

https://cabforum.org/pipermail/public/2016-March/007106.html

https://cabforum.org/2016/02/17/2016-02-17-minutes-of-f2f-meeting-37/

https://cabforum.org/2015/10/07/2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul/#Certificate-Validity-Periods

https://cabforum.org/2015/06/24/2015-06-24-face-to-face-meeting-35-minutes/

https://cabforum.org/2013/11/21/2013-11-21-minutes/

https://cabforum.org/pipermail/public/2013-November/002479.html

 

Basically, the Forum's been talking about it for quite some time. The reactions and responses to Ballot 111 are fairly telling, in that we see many of the same responses from the same members, three years later, and nothing has changed.

 

I realize the proposition of the Ballot itself may be seen as "out of the blue", but the fact how many incidents in 2017 alone where we've discovered new misissuance, or we've discovered audit irregularities, provide ample evidence that the current ecosystem and incentives are not aligned with security. This is but one step in a positive direction.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170209/0bec419f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20170209/0bec419f/attachment-0001.bin>


More information about the Public mailing list