[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input
Scott Rea
scott at scottrea.com
Fri Feb 10 18:01:22 UTC 2017
Well I am not a voting member (yet), so feel free to ride rough shod
over what I am saying, not because you are correct, but because you can...
You missed entirely what I was saying Ryan. Peter's calculation is
technical - I agree, this is why you correctly chose days as the period
to be included in the standard. But my point is that Andrew's original
argument for 13 months is arbitrary - I could make the same argument for
14 months, its just a line in the sand...
To be clear - I agree that 398 days is a technical representation of an
upper bound on 13 months. I disagree that 13 months is objective, and as
such, 400 days accomplishes the same objective, with lower expected
implementation effort for some of the CAs in the Forum.
I still advocate for 400 days.
Regards,
-Scott
On 2/10/2017 9:36 PM, Ryan Sleevi wrote:
>
>
> On Fri, Feb 10, 2017 at 9:23 AM, Scott Rea <scott at scottrea.com
> <mailto:scott at scottrea.com>> wrote:
>
> Ryan, I think I may have missed something in your earlier argument
> because I don't agree that 398 is an "...objective technical value".
> Isn't 398 just your representation of an upper bound on 13 months?
>
>
> No. It was chosen for precise technical considerations. You can see them
> enumerated in
> https://cabforum.org/pipermail/public/2017-February/009449.html
>
> 398 days represents the maximum validity period that accounts for all
> possible 'special' cases - leap years, 31 day months, and leap seconds
> (which might cause rounding errors). It is the smallest possible value
> which is difficult to get right.
>
>
> When introducing new policies, doesn't it behoove us to take a look at
> other trust communities who may have already tried to solve the same
> issue to see if there is anything we can learn, rather than reinventing
> the wheel every time?
>
>
> I do think this is very valuable, but you have to yet to show anything
> that we can or should learn - that is, objective technical value. You've
> shared with us that another community chose 400 days, but you've yet to
> advance any reasonable technical consideration as to why 400 is better,
> objectively, than 398. The only argument that has so far not been shown
> as incorrect is the aesthetic one.
>
>
> Your 398 is NOT objective, its arbitrary, just as 400 is arbitrary.
> Choosing 398 increases the burden of implementation for some CAs,
> choosing 400 reduces the burden for some CAs, as such, I don't see 398
> as the best choice.
>
>
> It sounds like you may have missed Peter's message, but hopefully that
> clarifies why 398 is objective. Similarly, the original discussion about
> why "13 months" rather than "12 months" was already captured in
> https://cabforum.org/pipermail/public/2017-January/009380.html
>
> Hopefully that clarifies any confusion and better explains why I still
> don't believe any change is necessary to accommodate your wish.
--
Scott Rea, MSc, CISSP
Ph# (801) 874-4114
More information about the Public
mailing list