[cabfpub] Certificate lifetimes: end state or trajectory?

Gervase Markham gerv at mozilla.org
Fri Mar 3 09:14:56 UTC 2017


Following on from the discussion on the call, I think the Forum does
need to come to a conclusion on whether we are aiming to reduce
certificate lifetimes below 27 months in the next few years, or not.

I think it's fair to say that if the Forum passes a ballot on
certificate lifetimes _without_ a roadmap to 13 months (such as the
current ballot 193), then observers can reasonably assume that the Forum
is unlikely to take further steps on reducing lifetimes in the next few
years. Because if we were planning to do that, we would have set out our
roadmap in the relevant ballot in order to give everyone maximum time to
prepare.

According to Ryan's summary, the following members voted No on ballot
185 giving the reason that "13 months is unacceptably short":

CA: DigiCert, Entrust, Izenpe, Quo Vadis, Actalis, Symantec, Trustwave,
CFCA, GDCA
Browser: Apple

It would be useful if those members could say whether 13 months would
still be unacceptably short if the date for introduction of the 13 month
requirement were something like 1st March 2019, 2 years from now.

If we can get consensus that this reduction is OK with a long enough
lead time, that might lead us to a ballot where the max. lifetime was
reduced to 27 months on 1st March 2018, and 13 months on 1st March 2019,
meaning that by 1st May 2020, all unexpired certificates would be of
lifetime 13 months or fewer.

If members feel that even with 2 years lead time, this reduction is
still unacceptable, we should pass ballot 193 or something like it,
thereby indicating to the world that we have no plans for further
reductions in a CAB Forum context.

Gerv





More information about the Public mailing list