[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Christian Heutger ch at psw.net
Tue Aug 20 07:33:01 MST 2019


The survey and its results comply with best practice feedback you would get from any ITSM, ISM or similar people. Automation is no good solution for managed servers, networks and infrastructure. All up to date standards are as well based on risk management. So adjustments should be done based on the risk evaluation. The expected outcome does not outweight the effort (or pressure for been only able to choose automation). On such audience, which is the one being accountable for service management and security management, you would also get always the same answer: Why should there be a workaround established instead with many pain points instead of fixing the direct issue. Against phishing or other certificate misuse 1 year won’t help, 90 days also won’t help (I got some spam with a Let’s Encrypt cert and this phishing site was operated for the full 90 days), you need to reduce lifetime to day or better hours. Is this really an idea, which could work? Also if automation would be able to handle that, it will arise additional new pain points. And still it arise the question, is it worth to fix a completely different issue?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190820/b892cb93/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3860 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190820/b892cb93/attachment.bin>


More information about the Servercert-wg mailing list