[cabfpub] Draft Ballot 185 - Limiting the Lifetime of Certificates
josh at letsencrypt.org
Tue Jan 31 21:39:52 MST 2017
I would be glad to endorse this ballot on behalf of ISRG / Let's Encrypt.
On Tue, Jan 31, 2017 at 9:50 PM, Ryan Sleevi via Public
<public at cabforum.org> wrote:
> I'm looking for two endorsers to publicly endorse this ballot.
> The validity period of certificates represents the single greatest
> impediment towards improving the security of the Web PKI. This is because it
> sets the upper-bound on when legacy behaviours may be safely deprecated,
> while setting a practical lower-bound for how long hacks and workarounds
> need to be carried around by clients.
> Further, in the event of misissuance related to internal control failures,
> rather than external security failures - for example, misissuance due to
> failing to properly vet subject information - the validity period represents
> the risk and exposure to customers and relying parties in the absence of
> revocation information (for example, constrained environments).
> To keep this vote simple, it avoids any discussion of the reuse of
> validation information, described in Section 4.2.1 of the Baseline
> Requirements and Section 11.14.3 of the EV Guidelines.
> The following motion has been proposed by Ryan Sleevi of Google, Inc and
> endorsed by ___ of ___ and ___ of ___ to introduce new Final Maintenance
> Guidelines for the "Baseline Requirements Certificate Policy for the
> Issuance and Management of Publicly-Trusted Certificates" and the
> "Guidelines for the Issuance and Management of Extended Validation
> -- MOTION BEGINS --
> Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy for
> the Issuance and Management of Publicly-Trusted Certificates" as follows:
> Replace Section 6.3.2 with:
> 6.3.2. Certificate Operational Periods and Key Pair Usage Periods
> Subscriber Certificates issued on or after 1 May 2017 MUST NOT have a
> Validity Period greater than twelve (12) months.
> Subscriber Certificates issued prior to 1 May 2017 MUST NOT have a Validity
> Period greater than thirty-nine (39) months.
> Modify Section 9.4 of the "Guidelines for the Issuance and Management of
> Extended Validation Certificates" as follows:
> Replace Section 9.4 with:
> 9.4 Maximum Validity Period for EV Certificate
> EV Certificates issued on or after 1 May 2017 MUST NOT have a Validity
> Period greater than twelve (12) months.
> EV Certificates issued prior to 1 May 2017 MUST NOT have a Validity Period
> greater than twenty seven (27) months.
> -- MOTION ENDS --
> Public mailing list
> Public at cabforum.org
Internet Security Research Group
Let's Encrypt: A Free, Automated, and Open CA
More information about the Public