[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Fri Feb 10 16:19:40 UTC 2017

> On Feb 10, 2017, at 10:39 AM, Ryan Sleevi via Public <public at cabforum.org> wrote:
> 
> 
> 
> On Fri, Feb 10, 2017 at 7:17 AM, <philliph at comodo.com> wrote:
> There are two possible reasons for limiting the validity interval
> 
> 1) To limit the length of CRLs (or equivalent).
> 2) To enable changes to cryptographic algorithms or withdrawal of certain types of permitted algorithm class to take place more expeditiously.
> 
> Hi Phillip,
> 
> Unfortunately, the flaw in your argument starts here, and unfortunately invalidates the rest of it.

I really don’t think you help your case with that type of talk.

> It's unclear whether you're stating that these are the only arguments put forward - which is demonstrably not true - or whether these are the only arguments you believe valid. However, if these are the only arguments you believe valid, then I would encourage you that rather than trying to undermine these, you might instead focus on why you're ignoring the other evidence put forward.

I have read the threads and I find that each time someone tries to pin you down on an argument you skate away and claim that you were actually arguing something different.

> I realize there's been a large volume of mail on this topic, so perhaps you simply haven't followed as closely, so a few links for background for you:
> - https://cabforum.org/pipermail/public/2017-February/009433.html
> - https://cabforum.org/pipermail/public/2017-February/009410.html
> 
> Hopefully, by reading those messages (although there are many more available, should you need), you can understand why the rest of your message, which I've omitted, unfortunately largely ignores the points being made. 

Arguing that the point has been answered elsewhere seems to be the only mode of argument you wish to engage in. 

It is a classic form of Internet fallacy.

To address what you now claim to be the vital interests you are protecting:

>  https://cabforum.org/pipermail/public/2017-February/009433.html

"In an enterprise scenario, 1-year certs would make things better. We restricted all enterprise issuance to a max of 2 year certs simply because it was the minimum of the max-validity of EV and DV.“

Really? You really think that this is on of the two best arguments for your case? It is pretty obvious that there are many ways in which an annual process is more effort for the customer.

> - https://cabforum.org/pipermail/public/2017-February/009410.html

"For example, consider the (many) SHA-1 exception requests. A shorter
certificate lifetime would have allowed for a more nuanced phase-out, and
customers (such as Symantec's) could have been better informed of the SHA-1"

Which is cryptographic algorithm agility that you were trying to avoid engaging on.

You know you we could have had a better SHA-1 transition? If you browser providers had done as I suggested and started supporting SHA-2 immediately after the Wang break and planned to cut over ten years later which would have meant phaseout was complete Feb 2015.