[cabfpub] Certificate lifetimes: end state or trajectory?

[Gervase Markham]

Hi Philip,

On 03/03/17 16:14, Phillip Hallam-Baker wrote:
> Going from 2 years to 1 or even 90 days makes no significant difference to
> security in my view. The only way to make a significant difference is to
> take the vulnerability window down to 3 days or less by requiring effective
> revocation.

You keep making this point, but it assumes incorrectly that the reason
for reducing certificate lifetimes is to reduce the "vulnerability
window". That's simply not the case. No-one is arguing "we should reduce
certificate lifetimes because then we don't have to bother with
revocation at all".

> Right now we have a situation where certain people are loudly asserting that
> we can't do effective revocation because it requires X and simultaneously
> asserting that we must make other measures that are less effective but also
> require X.

What is X in your example?

I would be more open to listening to your thoughts on revocation if
found you could clearly articulate all the reasons for Mozilla's
position regarding why we think OCSP hard-fail for every cert is not
possible (even if you didn't agree with it). Then you could tell me how
whatever plans you have address all those issues. But regardless, let's
do that in another thread, because this one is not about revocation.

> CAs and Browser providers naturally have different views on the last as site
> administrators are our customers. So a proposal that requires hundreds of
> thousands of site admins to spend hours or days implementing a change is a
> major issue for CAs. 

This is another of those "if this is true, something is very wrong"
moments. If it takes hours or days to replace a cert, something is very
wrong. Moving from 2 years to 1 year makes it happen twice as often. If
it's taking that long, this customer needs automation whether certs are
2 years or 1 year in duration.

Gerv