[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates

Ryan Sleevi sleevi at google.com
Tue Jan 31 20:50:25 MST 2017


I'm looking for two endorsers to publicly endorse this ballot.

Background:
The validity period of certificates represents the single greatest
impediment towards improving the security of the Web PKI. This is because
it sets the upper-bound on when legacy behaviours may be safely deprecated,
while setting a practical lower-bound for how long hacks and workarounds
need to be carried around by clients.

Further, in the event of misissuance related to internal control failures,
rather than external security failures - for example, misissuance due to
failing to properly vet subject information - the validity period
represents the risk and exposure to customers and relying parties in the
absence of revocation information (for example, constrained environments).

To keep this vote simple, it avoids any discussion of the reuse of
validation information, described in Section 4.2.1 of the Baseline
Requirements and Section 11.14.3 of the EV Guidelines.



The following motion has been proposed by Ryan Sleevi of Google, Inc and
endorsed by ___ of ___ and ___ of ___ to introduce new Final Maintenance
Guidelines for the "Baseline Requirements Certificate Policy for the
Issuance and Management of Publicly-Trusted Certificates" and the
"Guidelines for the Issuance and Management of Extended Validation
Certificates"

-- MOTION BEGINS --
Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy for
the Issuance and Management of Publicly-Trusted Certificates" as follows:

Replace Section 6.3.2 with:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods

Subscriber Certificates issued on or after 1 May 2017 MUST NOT have a
Validity Period greater than twelve (12) months.

Subscriber Certificates issued prior to 1 May 2017 MUST NOT have a Validity
Period greater than thirty-nine (39) months.
"""

Modify Section 9.4 of the "Guidelines for the Issuance and Management of
Extended Validation Certificates" as follows:

Replace Section 9.4 with:
""""
9.4 Maximum Validity Period for EV Certificate
EV Certificates issued on or after 1 May 2017 MUST NOT have a Validity
Period greater than twelve (12) months.

EV Certificates issued prior to 1 May 2017 MUST NOT have a Validity Period
greater than twenty seven (27) months.
"""
-- MOTION ENDS --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170131/192a8a85/attachment.html>


More information about the Public mailing list