[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input
Rob Stradling
rob.stradling at comodo.com
Fri Feb 10 17:28:31 UTC 2017
On 10/02/17 17:04, Ryan Sleevi via Public wrote:
<snip>
> Absent this change, if Browsers were to require that all new
> certificates contain the id-kp-serverAuth EKU, from intermediates that
> contain the id-kp-serverAuth EKU, from roots that contain the
> id-kp-serverAuth EKU - as a very simple example - how long do you
> believe this migration would take?
<snip>
Nitpicking this particular example:
Most root certificates don't contain the EKU extension. Persuading some
browser root programs to accept new root certificates can take MANY,
MANY YEARS! A 13-month maximum validity period for leaf certs would not
improve that particular situation.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list