[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Tobias S. Josefowitz tobij at opera.com
Mon Aug 19 16:52:08 MST 2019


Hi Ryan,

On Mon, 19 Aug 2019, Ryan Sleevi wrote:

> Part of the concern is that while DigiCert's post in this thread didn't
> acknowledge the selection method, DigiCert's past communications from
> not-yet-public calls made it clear that they were not after an objective
> selection, and were carefully curating the list of customers solicited for
> feedback. That is, while presented as "a customer survey" and "an
> overwhelming number of customers", it was in fact a limited sample of
> certain "high-value" customers, and thus at best "an overwhelming number of
> hand-selected customers who responded to the survey".

[...]

> While I certainly understand that academic rigor is not the objective here,
> it's important to consider these facts when evaluating the results DigiCert
> shared. I also wanted to help DigiCert here; as they're laboriously working
> to summarize respondents' free-form text results, if the survey was
> spoiled, or if the desired objective was fundamentally unobtainable due to
> the selection method, perhaps it's not worth that effort and not worth
> further discussion? That surely would save time and energy, which could
> then be used for more productive engagement?

I will explicitely refrain from sharing my opinion regarding CA's 
possibilities for community outreach and communication of the motivation 
of the proposed shortening of certificate lifetimes.

However, in my eyes, there can be no doubt that this change is/will be 
vastly unpopular with web site operators by the numbers, and I do not 
think that, in this regard, conducting surveys to begin with will add much 
perspective, nor do I think that debating the merits of any such survey 
should or could possibly be focal to the issue.

That is, unless you would change your perspective on the issue if a clean 
survey roughly reproduced the results presented by digicert. In which 
case, by all means, we should go for it. Otherwise, maybe we should just 
shortcut this and possibly come to f.x. the understanding that we do not 
expect universal acclaim for this proposal from site operators, never 
expected it to receive such universal acclaim, that it was instead 
proposed on different merits entirely and move on in the discssion.

Tobi


More information about the Servercert-wg mailing list