[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Gervase Markham gerv at mozilla.org
Fri Feb 10 02:50:51 MST 2017


On 09/02/17 17:31, Christian Heutger via Public wrote:
> I don’t believe, moving faster is required for normal situations. If
> there are issues arising needing faster reaction, revocation and
> reissue is still a possible way. For normal situations, enterprises
> need to be able to react and they can’t move faster. Why are most
> enterprises skipping one Windows version and roll out the next one?
> As they are not able to move faster in controlled enterprise security
> environments.

If the effort of replacing a certificate is equivalent to the effort of
deploying a new version of Windows, then something is very wrong in that
environment.

We need to get to a place where replacing the security certificate in
_any_ server or appliance is a simple and easily-automatable job. How do
you propose we get there?

> As I understood the discussion, 1 year is the first step on a road to
> months or weeks.

Well, if you still haven't sorted out automation by the time someone
proposes months or weeks, you can oppose it then :-)

>> I'm sure there are plenty of CAs, big and small, who would assert
>> their automation solutions are secure. :-)
> 
> But as you know, there is nothing, which is 100% secure and if we
> talk about certificates in their sense of encryption and(!) identity
> assurance, such job shouldn’t be based on automatism.

I suspect you will find that automated systems are, in fact, more
reliable and secure than manual ones. People doing things manually can
make mistakes. This is why sysadmins like automation.

Gerv


More information about the Public mailing list