[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Gervase Markham gerv at mozilla.org
Thu Feb 9 08:38:26 MST 2017


On 09/02/17 14:59, Doug Beattie via Public wrote:
> the reasons to shorten the lifetime makes no sense. His argument was
> about faster phasing out SHA1, but as the CA side for the major CAs by
> paining them to have max. 1 year would not change the clients in
> enterprises to SHA2 faster, I also got an enquiry on a project to
> replace the in-house CA with SHA2 and they were not able to manage it
> earlier, they need the budget and planning, so 13 months for doing
> similar change to SHA3 would be surrealistic.

I can see why there's some confusion here :-) Ryan is not arguing that
we should switch to 13 months so that we will always in future move from
"let's eliminate Algorithm X" to "Algorithm X is gone" in 13 months. One
would always consider lots of data points in setting such a timetable.
His point is that 3.25 year certs make it very hard to move faster than
that in _any_ deprecation scenario, whether simple or complex.

> Also this solution requires automatism and I don't agree that automatism
> is more secure and the trustworthy future. 

I don't agree that replacing your certificates once a year requires
automation. It's made easier by automation, but it doesn't require it.

> Automatism is always
> insecure, it's the solution for the bride masses, but no solution for
> enterprises, it always has weaknesses and may be attackable.

I'm sure there are plenty of CAs, big and small, who would assert their
automation solutions are secure. :-)

Gerv


More information about the Public mailing list