[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Jody Cloutier jodycl at microsoft.com
Fri Feb 10 00:21:27 UTC 2017


12 months seems to short, especially if we aren’t somehow limiting the scope of the proposal to website authentication only. I would recommend that we reconsider what Digicert proposed in the past.

From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley via Public
Sent: Thursday, February 9, 2017 4:12 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

No, I don’t think that meeting was fair signal to research how long the transition to one year certs would take. The aggressive proposal at the time was 27 months (which DigiCert proposed). At that time, we reviewed and asked customers about adopting 27 months, and found that it was achievable immediately. How would we have known that Google would try to accelerate that to 12 months instead?


From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Thursday, February 9, 2017 3:08 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>>
Cc: CA/Browser Forum Public Discussion List <public at cabforum.org<mailto:public at cabforum.org>>
Subject: Re: [cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input



On Thu, Feb 9, 2017 at 2:01 PM, Jeremy Rowley <jeremy.rowley at digicert.com<mailto:jeremy.rowley at digicert.com>> wrote:
That’s the question and the area where there’s insufficient data to respond. The ballot happened quickly enough that I doubt most of us have had time to evaluate with the customers how long of a transition period they would need.

I would highlight some of the points I made to Dean earlier, in https://cabforum.org/pipermail/public/2017-February/009540.html

"Do you believe the CAs who find themselves in such cases were making a good faith effort to participate in the CA/Browser Forum, knowing that discussions have been occurring for three years on this topic? Did such CAs simply assume that any possible attempt to change would be blocked? "

For example, do you believe that the discussion in https://cabforum.org/2015/06/24/2015-06-24-face-to-face-meeting-35-minutes/ was a fair signal to take the time to evaluate with customers how long of a transition period they would need? If not, how long should the CA/Browser Forum discuss something before CAs take concrete steps to collect feedback from their users, if 18 months is not sufficient time?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170210/340f0c66/attachment-0003.html>


More information about the Public mailing list