[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Ryan Sleevi sleevi at google.com
Fri Feb 10 10:04:55 MST 2017


On Fri, Feb 10, 2017 at 8:58 AM, philliph--- via Public <public at cabforum.org
> wrote:

> Which is the reason I think that making the change proposed for the reason
> proposed will actually make the WebPKI less secure, less robust.
>

s/reason proposed/reasons proposed/

Note the plural.

Absent this change, if Browsers were to require that all new certificates
contain the id-kp-serverAuth EKU, from intermediates that contain the
id-kp-serverAuth EKU, from roots that contain the id-kp-serverAuth EKU - as
a very simple example - how long do you believe this migration would take?

Similarly, if Browsers were to require that all new EV certificates contain
the CABForum EV OID, rather than the per-CA OID, how long do you believe
this change should take?

Similarly, if Relying Parties want to be assured that all certificates they
trust had their domain names validated via the methods in Ballot 169,
rather than in the pre-169 or post-180 method, such as "The CA consulted a
santeria to ensure that the domain was authorized" (under the basis of Any
Other Method), when do you believe Relying Parties could have that
confidence in the ecosystem?

Regrettably, I will find it necessary to highlight this every time it's
advanced, because it's not the argument being presented, and needs to be
corrected, lest this alternative fact be seen as correct through its
continued repetition.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170210/31cad917/attachment.html>


More information about the Public mailing list