[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates: User input

Mon Feb 13 16:25:02 UTC 2017

Hi Doug,

Thanks for reposting. There's a number of inaccuracies here; given that
SSL247.com is a reseller of Symantec, Comodo, and GlobalSign's, perhaps
this would be an opportunity for the CA Security Council - of which all
three vendors are members - to help provide clarifications for their
customers, as I imagine we'd otherwise we'd see a whole host of the same
message, unfortunately relying on an incorrect understanding. Similarly,
rather than having customer support provided by Browser members, it might
be an opportunity that, prior to posting, GlobalSign can work with its
customers to correct these misunderstandings.

I've reduced the relevant snippets below that highlight the
misunderstanding, which I think successfully resolves any and all
objections being reported by your customer.

On Mon, Feb 13, 2017 at 6:57 AM, Doug Beattie via Public <
public at cabforum.org> wrote:
>
> The question behind the scene is not « Customer prefers X » as stated by Ryan
> Sleevi but "Customers will not be able to cope with Y », Y being 13
> months validity on their certs. Probably fine for DV certificates that are
> delivered through automatic vetting processes but definitely not for OV and
> EV certs.
>

This proposal does not affect any meaningfully address any of the
(potentially expensive and timeconsuming process) of vetting periods for OV
or EV certificates. That is, CAs may continue to rely on previous validated
information for the issuance of certificates, but such certificates must be
limited to 13 months. This allows you to perform validation once, and where
today you might obtain a 39-month certificate, in the future, you'll obtain
three 13 month certificates.

While there are real issues with such re-use - as can be seen by CA's
misissuing new certificates through reliance on previously validated
information that wasn't validated appropriately, and even after correcting
the validation process, they didn't expire such validation information -
this ballot solely focuses on the certificate lifetime.

> the DV market which is definitely not the standard of SSL certificates we
> want to bring the market to as the customers won’t be able to cope with
> yearly audits/vettings.
>

DV is the standard of SSL certificates on the market. No browser or user
agent recognizes OV as providing any value-added security (as communicated
to users), so if you believe it does, it's likely due to CAs suggesting
such, not browsers. EV is a technically flawed standard whose value to cost
is also questionable, and which is also not the standard for which we
(Google) want to bring to market to customers.

While this explains the philosophical difference, Ballot 185 does not in
force that discussion, as structured presently, nor does it require you to
accept Browsers perspectives (although future efforts to remove EV from
some browsers will likely resolve that matter).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170213/8a7e08ce/attachment-0003.html>