[cabfpub] Ballot 185 (Revised) - Limiting the Lifetime of Certificates

Stephen Davidson S.Davidson at quovadisglobal.com
Mon Feb 20 13:55:12 UTC 2017 

QuoVadis votes no.



We would agree to a 27 month validity cap, and hope that the 
proposers/endorsers of the ballot will engage in compromise.



Regards, Stephen







From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Ryan Sleevi via 
Public
Sent: Monday, February 13, 2017 3:19 PM
To: CABFPub <public at cabforum.org>
Cc: Ryan Sleevi <sleevi at google.com>
Subject: [cabfpub] Ballot 185 (Revised) - Limiting the Lifetime of 
Certificates



Pursuant to the consensus on 
https://cabforum.org/pipermail/public/2017-February/009530.html about the 
nature of changes during the discussion period, and the request from Gervase 
on https://cabforum.org/pipermail/public/2017-February/009618.html to adjust 
what represents the Baseline agreement, this adjusts the effective date from 1 
April to 24 August. While individual programs may choose to enact or enforce 
requirements prior to that, as the Baseline Requirements capture the effective 
point of common agreement of the bare minimum security levels, it seems 
appropriate that this Ballot accurately reflect that.





Ballot 185 - Limiting the Lifetime of Certificates



The following motion has been proposed by Ryan Sleevi of Google, Inc and 
endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to introduce new 
Final Maintenance Guidelines for the "Baseline Requirements Certificate Policy 
for the Issuance and Management of Publicly-Trusted Certificates" and the 
"Guidelines for the Issuance and Management of Extended Validation 
Certificates"



-- MOTION BEGINS --

Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy for the 
Issuance and Management of Publicly-Trusted Certificates" as follows:



Replace Section 6.3.2, which reads as follows:

"""

6.3.2. Certificate Operational Periods and Key Pair Usage Periods



Subscriber Certificates issued after the Effective Date MUST have a Validity 
Period no greater than 60 months.

Except as provided for below, Subscriber Certificates issued after 1 April 
2015 MUST have a Validity Period

no greater than 39 months.



Until 30 June 2016, CAs MAY continue to issue Subscriber Certificates with a 
Validity Period greater than 39

months but not greater than 60 months provided that the CA documents that the 
Certificate is for a system or

software that:

(a) was in use prior to the Effective Date;

(b) is currently in use by either the Applicant or a substantial number of 
Relying Parties;

(c) fails to operate if the Validity Period is shorter than 60 months;

(d) does not contain known security risks to Relying Parties; and

(e) is difficult to patch or replace without substantial economic outlay

"""



with the following text:

"""

6.3.2. Certificate Operational Periods and Key Pair Usage Periods



Subscriber Certificates issued on or after 24 August 2017 MUST NOT have a 
Validity Period greater than three hundred and ninety-eight (398) days.



Subscriber Certificates issued prior to 24 August 2017 MUST NOT have a 
Validity Period greater than thirty-nine (39) months.

"""



Modify Section 9.4 of the "Guidelines for the Issuance and Management of 
Extended Validation Certificates" as follows:



Replace Section 9.4, which reads as follows:

"""

9.4. Maximum Validity Period For EV Certificate



The validity period for an EV Certificate SHALL NOT exceed twenty seven 
months. It is RECOMMENDED that EV

Subscriber Certificates have a maximum validity period of twelve months.

"""



with the following text:

""""

9.4 Maximum Validity Period for EV Certificate



EV Certificates issued on or after 24 August 2017 MUST NOT have a Validity 
Period greater than three hundred and ninety-eight (398) days.



EV Certificates issued prior to 24 August 2017 MUST NOT have a Validity Period 
greater than twenty seven (27) months.

"""

-- MOTION ENDS --



Ballot 185 - Limiting the Lifetime of Certificates

Status: Final Maintenance Guideline



Review Period:

Start Time: 2017-02-10 00:00:00 UTC

End Time: 2017-02-17 00:00:00 UTC



Vote for Approval:

Start Time: 2017-02-17 00:00:00 UTC

End Time: 2017-02-24 00:00:00 UTC



Votes must be cast by posting an on-list reply to this thread on the Public 
Mail List.



A vote in favor of the ballot must indicate a clear 'yes' in the response. A 
vote against must indicate a clear 'no' in the response. A vote to abstain 
must indicate a clear 'abstain' in the response. Unclear responses will not be 
counted. The latest vote received from any representative of a voting Member 
before the close of the voting period will be counted. Voting Members are 
listed here: https://cabforum.org/members/



In order for the ballot to be adopted, two thirds or more of the votes cast by 
Members in the CA category and greater than 50% of the votes cast by members 
in the browser category must be in favor.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170220/2cfcafbd/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5552 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170220/2cfcafbd/attachment-0001.p7s>

More information about the Public mailing list