[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

[Ryan Sleevi]

On Thu, Aug 22, 2019 at 10:04 PM Dean Coclin <dean.coclin at digicert.com>
wrote:

> >>No, that’s not what I was referring to, sorry if I didn’t explain it
> correctly. I was talking about the time from when we passed the ballot to
> when the change took effect. That was not 5 years.
>

Oh, I think I understand. You're talking about the artificial delays in
introducing it to the Baseline Requirements, after multiple Root Programs
had already announced when their effective dates are, and after broad
discussion in the Forum to assess if there were any unknown
incompatibilities. As we learned from some of the former customers of one
CA, which applied for an exception process, it sounded like the CA failed
to effectively communicate these changes, and when they did, may have
mislead those customers.

Thankfully, the CA largely responsible for that misinformation has been
distrusted, and so it's simply unfathomable to imagine CAs would still
mislead their customers about effective dates set by Root Programs or those
that might also appear in the Baseline Requirements. However, I do hope we
can agree on the many years notice and prior discussion, such that it was
no surprise to anyone when the Browser Programs mandated a particular date
for SHA-1.


> In terms of organizations making changes “in a reasonable amount of time”,
> I fear you did you not read the comments from the customers thoroughly.
> They read the ballot and the effective dates, hence the comments. Maybe we
> have a different interpretation.
>

Oh, I'm sorry I gave that impression! I personally read each and every
comment. They were fascinating as to the spectrum of confusion, which is
why I've tried to address many of those points on the list, and I'm sure
many responsible CAs following that discussion have been looking at ways to
tailor their user education to address some of those misconceptions and
misunderstandings about the change here.

And I never said anything about CAs ability to comply so I’m not sure where
> that is coming from.
>

Then I'm not sure your concern. Is this something that DigiCert is
representing as a concern for DigiCert, or are you merely echoing the user
confusion here?

If it's a concern of the customers, have I misunderstood something in the
analysis, namely, that this requires no organizational changes as of the
effective date, and the earliest meaningful practical impact is the year
following the effective date? While I understand some revalidation may be
required, depending on when those customers' certificates expire, surely
that's something that with six months lead time, CAs are more than equipped
to support and minimize any additional cost or effort.

If it's a concern of DigiCert, and you're worried about the reduction in
validation time, I'm not terribly worried. DigiCert set an example for the
industry during its integration of the Legacy Symantec PKI, showing it was
more than possible to fully revalidate the (former) customers of the
largest CA. As this will be more time, and with far fewer users, both in
aggregate and per CA, I have full confidence that the CA members are more
than prepared and up to the task.


> *it sounded like an April date, rather than March, is more than reasonable
> and sufficient, and I'll be updating the ballot to reflect that.*
>
> >>I was on the CABF call today and did not hear this. It must be a very
> recent update. Curious what the motivation is for a 1 month delay?
> (BTW-this is not a complaint, just a question)
>

I heard from some CAs that they were concerned about their users which have
holiday freezes that don't end until February. Despite the repeated
assurances and explanations that no changes are required for these
organizations in the coming year, after this Ballot is adopted and/or Root
Programs require it, there was some worry about how to explain that to
their users. It sounds like April helps address some of that confusion and
messaging a bit better, thus assuaging the concerns this might require
changes over a freeze period, however incorrect those concerns are.

To date, we haven't heard any issues of any technical incompatibilities,
which was certainly a worry! That is, there haven't been any CAs who have
suggested it's not supported by their underlying CA software. We haven't
heard of any stories of client software that's incompatible with 13 month
certificates. So it sounds like this is a system that can safely roll out
without breaking any existing users, even if it might require additional
work for those 6% still struggling on the old, longer-lived certificates
that are a security nightmare for them, the ecosystem, and especially users.

I'm certainly taking CAs' silence, during the discussion period, to
indicate that they're not aware of any technical compatibility issues,
which is certainly the primary goal of floating this as a Ballot, rather
than just a discussion.

The feedback DigiCert and Entrust has been very illuminating, and hopefully
all CAs in the Forum can benefit from it. In that feedback, it's clear what
some of the common misconceptions and confusion are, and so that can help
guide CAs developing support material for this change in how best to
address that confusion and concern. For example, highlighting the lack of
changes required, the opportunities to automate (although also highlighting
it's not required), and tools and utilities the CA has to help manage
certificates for those that don't. Similarly, it may highlight
opportunities for things CAs hadn't considered, such as allowing customers
to request free re-issued certificates with shorter validity periods, so
that they can align their organizations' certificates onto common cadences
and easier weekdays - like Tuesdays or Wednesdays - thus reducing the
management overhead and risks of accidental outages.


> >>I certainly understand the motivations for the ballot and the
> implications you have outlined. Customer however, don’t seem to.
>

This is fantastic, I'm glad you understand!

Will you be working at DigiCert to prepare training material, to help
address the confusion your customers' shared? It sounds like you've got
more than enough feedback to help clear the air on the confusion,
especially with respect to the potential impact. We'd be happy to review it
for you, for technical accuracy, if you'd like.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190822/408db932/attachment.html>