[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Christian Heutger ch at psw.net
Fri Feb 10 10:32:06 UTC 2017 

> If the effort of replacing a certificate is equivalent to the effort of deploying a new version of Windows, then something is very wrong in that environment.

I don’t talk about the effort of replacing a certificate. I talk about the driver behind limiting the lifetime and what would and primarly (as it’s the driver of this ballot) will happen on limiting the lifetime: Algorithm changes in 1 year. That is something, an enterprise can’t meet. For sure, it’s not compared with a complete new Windows version rollout, but by skipping versions, we talk about a 6 year period of replacing windows meanwhile we currently have a 3 year period for changing algorithms and have clients and inhouse CAs prepared. Rolling out certs themselves without any change, just a new key and a new cert is a much faster job and the technical side is not the important one but the proccess-based. So many enterprises like Scrum very much to get faster and more agile. We talk about sprints of usually up to 4 weeks. So the whole replacement process can be done in the overlapping 1-3 months renewal terms we currently have, based on the organization. But it’s again not the sense of limiting the lifetimes, it’s planned and proposed, to change algorithms that way. That’s something I see big troubles for enterprise customers as it’s a much too short timeframe.

> We need to get to a place where replacing the security certificate in _any_ server or appliance is a simple and easily-automatable job. How do you propose we get there?

I propose, we shouldn’t go to an automated job as this conflicts with many security best practices as stated before. Simple it can be (the technical job itself), but should not be automated.
    
> Well, if you still haven't sorted out automation by the time someone proposes months or weeks, you can oppose it then :-)

You’re still at the technical job of certificate administration and just about certificate management. I talk about the reason and driver of the ballot and that being able, willing and planning to do algorithm changes in 1 year (+1 month) is too less. Additionally I say, months or weeks require automation and automation is against security best practices.

> I suspect you will find that automated systems are, in fact, more reliable and secure than manual ones. People doing things manually can make mistakes. This is why sysadmins like automation.

There may be mistakes in automation as well as in manual work, but manual work is managed, automation isn’t. Sysadmins like automation, CISOs don’t like. 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3400 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170210/9f697c22/attachment-0003.bin>

More information about the Public mailing list