[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
sleevi at google.com
Wed Feb 1 05:22:22 UTC 2017
On Tue, Jan 31, 2017 at 9:15 PM, Andrew Ayer <andrew at sslmate.com> wrote:
> On Tue, 31 Jan 2017 20:37:19 -0800
> Ryan Sleevi via Public <public at cabforum.org> wrote:
> > Except what we're seeing is that subscribers aren't renewing annually
> > - they're renewing every 13 months (or 27 or 39).
> > That is, it's unclear that the practical benefit of the buffer is
> > there, but it'd be great to understand if something is being missed.
> > Put differently, why cant CAs begin reaching out to their customers
> > one month before it expires (e.g. on month 11)? What makes month 12
> > more special than month 11, from the perspective of the
> > customer/subscriber/applicant?
> > For that matter, it would seem like 12 months is *more* customer
> > friendly, because then they can get into an annual habit of replacing
> > their cert. If it were 13 months, and CAs continued the current
> > practice of notifying at some point of (T-1 month / T-2 months), then
> > every year, the subscriber will be installing the cert one month
> > later - until suddenly they find themselves in that
> > November/December/January "production freeze" and find themselves
> > scrambling.
> To avoid the expiration date drifting every year, a renewed
> certificate's notAfter date must be exactly one year after the current
> certificate's notAfter date. With a 12 month limit, the CA could only
> do this by issuing the renewed certificate exactly when the current
> certificate expires, which is clearly unworkable since it allows no
> time for cutover.
> In contrast, a 13 month limit would allow a CA to issue the renewed
> certificate up to one month before the current certificate expires,
> with a validity period between 12 and 13 months as necessary to make
> the expiration date sync up. This is far friendlier.
Ah, right, that's the bit I was missing. Thanks for highlighting that.
Jeremy, if this were updated to 13 months, would you be willing to endorse?
Josh, would the delta of a month cost us ISRG's endorsement?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public