[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Ryan Sleevi sleevi at google.com
Thu Feb 9 14:57:31 MST 2017 

Except it doesn't manifest as any real issues until June 2018.

Or do we believe 16 months is too short a time to make changes?

On Thu, Feb 9, 2017 at 1:48 PM, Jeremy Rowley via Public <
public at cabforum.org> wrote:

> Right - I think the primary issue is this comes into effect on May 7th of
> this year. It takes a lot of subscribers by surprise.
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Dean
> Coclin via Public
> Sent: Thursday, February 9, 2017 2:42 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Dean Coclin <Dean_Coclin at symantec.com>
> Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of
> Certificates: User input
>
> Jody,
> I don't think you will get too many people disagreeing with your
> statement. But I think the issue for most is the implementation timeline,
> in light of other programmed roadmap actions and customer
> education/notification which must accompany this. That seems to be ignored
> by the proponents and doesn't show much respect toward building consensus
> in a consensus organization.
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jody
> Cloutier via Public
> Sent: Thursday, February 9, 2017 12:48 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Jody Cloutier <jodycl at microsoft.com>
> Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of
> Certificates: User input
>
> I'm the first to admit that I haven't been following this thread as
> closely as I would like, but, from Microsoft's perspective, we want shorter
> certificates and not longer. We would certainly endorse a ballot that would
> mandate shorter certificate life for the very reason stated below: if we
> want to eliminate X we would know exactly when the last cert will expire.
> We've gone so far as to consider mandating this as a program requirement.
> Anyway, that's our .02.
>
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Christian
> Heutger via Public
> Sent: Thursday, February 9, 2017 9:31 AM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Christian Heutger <ch at psw.net>
> Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of
> Certificates: User input
>
> > I can see why there's some confusion here :-) Ryan is not arguing that
> we should switch to 13 months so that we will always in future move from
> "let's eliminate Algorithm X" to "Algorithm X is gone" in 13 months. One
> would always consider lots of data points in setting such a timetable. His
> point is that 3.25 > year certs make it very hard to move faster than that
> in _any_ deprecation scenario, whether simple or complex.
>
> I don’t believe, moving faster is required for normal situations. If there
> are issues arising needing faster reaction, revocation and reissue is still
> a possible way. For normal situations, enterprises need to be able to react
> and they can’t move faster. Why are most enterprises skipping one Windows
> version and roll out the next one? As they are not able to move faster in
> controlled enterprise security environments.
>
> > I don't agree that replacing your certificates once a year requires
> automation. It's made easier by automation, but it doesn't require it.
>
> As I understood the discussion, 1 year is the first step on a road to
> months or weeks.
>
> > I'm sure there are plenty of CAs, big and small, who would assert their
> automation solutions are secure. :-)
>
> But as you know, there is nothing, which is 100% secure and if we talk
> about certificates in their sense of encryption and(!) identity assurance,
> such job shouldn’t be based on automatism.
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://clicktime.symantec.com/a/1/DJOabsexgZpqRhK4Bm0vY0LCU_
> A7fLTFBbYldNpVnwE=?d=O1780y8FKUGo97xfvWHTKyIZeLcKte
> s6qAn4x0w1FTcgk5APekHvbWPQEH7DJKKt86J-rK8MmQWb8MH5rrFNOCm_
> JHEgd7vcX5lVbf2RxzVCwdJ4l63cGU4HF0VjnaSKL32Jyn_-t-
> KtIXT0Peegw5RGNHQ3tXh9YgFTu5KBlfPYQwDhDMOOHSCbjQj7o2WlJk5_5ywFzgoNzW-
> e4NvXRwXik1Mb5KxCweruj5QsyFxvFEDqEEe1TDHsNxnySZZrvRWI64dzOAZ
> weXUwgCWaFhk4qpCAYVS3Avfwjf15uFGiF3YRD4Whv3sR8J5Vi9rsF4Hua61
> z37eoD50mdLqGMZEvlS63sa96REDIZQ11xHwK2dfeU1BZQ2KFqULn5IRC64o
> WROmlEOPjvooJM5XE9PXGJXebHssYudrapea5M2x1oscE-yquOWznFJAwvQkluFnB37Pkgk_
> YT6HwB-tIokqpHjXdWfJ9aHLY7VATlUXIDdo%3D&u=https%3A%2F%2Fcabforum.
> org%2Fmailman%2Flistinfo%2Fpublic
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170209/ce508fe1/attachment.html>

More information about the Public mailing list