[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Thu Feb 9 14:54:35 MST 2017 

On Thu, Feb 9, 2017 at 1:41 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> Without discussing product roadmaps or timelines, can you help me
> understand what you believe is challenging about such a change or why it
> might take anything more than a week or two to implement?
>
>
>
> >>This solely focuses on the technical implementation and unfortunately
> misses the greater challenges to users, many which have applications
> outside of the traditional browser-server relationship. I and other members
> have received a steady flow of emails from customers, partners and
> organizations concerned about this reduction in validity and especially the
> corresponding lead time.
>

Except, as noted, this doesn't cause any form of outage or breakage until
June 2018. I do hope this is ample time to develop polices and practices -
since no automation is required at 13 months - to prepare for that.

If not, we're doing the PKI wrong.


> What about Managed SSL customers that have prepaid two and three year
> certs on invoices? What about contracts and the time to renegotiate them?
> It’s not only the CA’s portal that needs to be updated but perhaps partners
> and all their contracts that may have commitments.
>

Do you believe the CAs who find themselves in such cases were making a good
faith effort to participate in the CA/Browser Forum, knowing that
discussions have been occurring for three years on this topic? Did such CAs
simply assume that any possible attempt to change would be blocked?

Doesn't this capture the very problem we're trying to solve quite well?
That is, because some members have baked certain practices into contracts,
and because such contracts have prolonged validity periods, what I'm
hearing you say is that it's difficult for such CAs to make or enforce such
changes until those contracts can be changed.

What you're hearing from browsers is that because certain practices are
baked into certificates, and because such certificates have prolonged
validity periods, it's difficult to make or enforce such changes until
those certificates can be changed.

How wonderfully fortuitous that we have a path whose principles might be
able to be applied to contracts much in the way they're applied to
certificates, and how illuminating as to the dangers and difficulties of
phasing out insecure practices.

However, I take heart in Doug's most recent suggestion -
https://cabforum.org/pipermail/public/2017-February/009532.html - and
suspect that the right approach to the problem you raise is similar to the
approach Doug has suggested and which browsers, such as Microsoft Edge and
Google Chrome, are taking: "go ahead and block them, they’ve all been
warned and should be prepared for the consequences"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170209/41d3fd10/attachment.html>

More information about the Public mailing list