[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certif icates

Eric Mill eric at konklone.com
Sat Feb 4 04:16:01 UTC 2017 

On Fri, Feb 3, 2017 at 7:53 PM, Ryan Sleevi via Public <public at cabforum.org>
wrote:
>
>
> On Fri, Feb 3, 2017 at 7:42 PM, realsky(CHT) <realsky at cht.com.tw> wrote:
>
>>
>>
>> I think most CAs offer their cusomers to migrate SHA-1 SSL certificates
>> to SHA 256 SSL certificates for free. Try their best to call out and e-mail
>> to the customers to encourage them.
>>
>
> A number of CAs had trouble. I think https://github.com/konklone/
> shaaaaaaaaaaaaa/issues/24 - a site Eric Mill put together when Chrome
> made the UI changes - is a pretty telling example of CAs not being as
> prepared as they otherwise suggested. More importantly, it highlights that
> changes didn't happen until they were forced - and a number of customers
> who actively wanted to be more secure were prevented by the insecure
> practices and defaults of a number of CAs.
>

Even rereading that thread is painful. Yes, running
https://shaaaaaaaaaaaaa.com during the spike of attention to SHA-1 that
Chrome's UI change generated got me very well-acquainted with how prepared
CAs were to operationally migrate to SHA-2, and the experiences they
subjected their customers to during that process. The home page was filled
with links
<http://web.archive.org/web/20141027141746/https://shaaaaaaaaaaaaa.com/> to
workaround and instructions for getting SHA-2 EE certs and intermediates,
that generally only the most technically savvy users could hope to follow.

It seems like people learned a lot from that period, along with how
difficult it's been to grant exceptions over 2016. But I honestly don't
understand the argument for keeping longer-lived certificates other than
"customers want it", which is a very weak argument when customers would
clearly be able to tolerate relatively shorter certificates.

Arguing that a 1-year limit would favor automation and that that favors any
particular set of CAs is even weaker -- if pushing customers towards
automation represents a threat to a particular CA, that CA should perhaps
look carefully at its feature roadmap. Automation is, by any measure, the
future of trust and infrastructure, and it should feel very scary to feel
business incentives that point in the opposite direction.

-- Eric


> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170203/7cdce6ca/attachment-0003.html>

More information about the Public mailing list