[cabfpub] Ballot 185 - Limiting the Lifetime of Certificates

Thu Feb 16 15:40:16 MST 2017

On Thu, Feb 16, 2017 at 2:26 PM, Dean Coclin <Dean_Coclin at symantec.com>
wrote:

> I know that many CAs are working to get this “concrete, actionable data”.
> I can say that most people we’ve talked to are completely surprised by this
> (even those following the forum threads), especially the implementation
> time, and are trying to assess the overall impact to their workflows.
>

I'm unfortunately a bit confused by this statement; earlier in the
discussion, it was suggested that CAs did not take the time to consult
their customers because there was not a concrete ballot for them to comment
on and evaluate. Now that there's a concrete ballot, the complaint is that
it's too soon to have a concrete ballot?

The problem with 'put a ballot out, but don't start voting on it' is that
it leaves it entirely ambiguous and indefinite as to when feedback is
expected or actionable. For example, consider that the Draft Ballot 186 has
had no response since initially putting it out there. Is that sufficient to
suggest that CAs agree with its content? That they disagree? If they do
disagree, what are the actionable steps to improve it?

Similarly, the problem with 'strawpolls', as suggested (and performed in
the past) is that it represents non-binding, non-actionable data. A CAs
incentives are always to vote against change, given the simple incentive
structure of the industry, and so a strawpoll doesn't help truly measure
consensus, because it lacks any consideration about when and how it's
phased in.

So we have a concrete ballot out. CAs and Browsers can certainly vote no or
to abstain - and hopefully, by having a concrete ballot, they'll do the
right thing and ensure that their No accurately explains why. Anything less
than that calls into serious question the commitment to finding consensus.

> By the same token, it would be helpful to hear any concrete actionable
> data that has suddenly made this a pressing need to quickly implement
> vis-à-vis other ecosystem security improvements. For example, is this
> considered a higher priority than say, CAA? Why/why not?
>

Unfortunately, this is a false equivalence. That is, there's been no data
shared as to why this would be mutually exclusive than CAA, on a
fundamental level, or any other improvement.

For example, the only outstanding concern that I've heard raised is one
which is still lacking data, which is "This would impact contracts, and
we'd need time to adjust contracts" - but without explanation as to why/how
specifically it affects contracts, or what amount of time is necessary (and
why) to renegotiate those contracts.

As to what is motivating the change, I think that's been highlighted
several times, so I'm not sure if your question is one of disagreement or
of confusion. Among a myriad of reasons, I'll simply point out that even
the ballot for CAA does not meaningful provide assurances to the site
operators for another 39 months, given the extant corpus of certificates.
Short of requiring revocation of every certificate that did not abide by
the CAA ballot - a proposal that would almost certainly fail the CA vote
because it would be, in effect, 100% revocation - there's not much we can
practically do to address that for CAA. However, by reducing the timeframe,
we can make meaningful steps towards not repeating the same mistake in the
future.

It takes 39 months for this to be truly effective, short of browsers taking
aggressive steps to distrust older certificates. Spending another 3 months
- or even one month - debating that is not only counter-productive, it's
actively irresponsible and harmful.

> I know we are coming to the end of the discussion period but I hope we can
> continue to have a constructive dialog.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170216/5b56f3dc/attachment.html>