[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

[Ryan Sleevi]

On Mon, Aug 26, 2019 at 10:14 AM Christian Heutger <ch at psw.net> wrote:

> > Annual certificates do not require the use of automation. Certificates
> with lifespans of <= 13 months, as this ballot proposes, make up 94% of the
> existing valid certificate market.
>
>
>
> Because of the amount of Let’s Encrypt certs, which you won’t see in the
> Top 100 etc. sites.
>

While I disagree with cherry picking participants, particularly those that
demonstrate good practices, I do worry that some others may have this
mistaken and incorrect understanding. Thus, I think it bears addressing
this misconception that somehow Let's Encrypt is significantly impacting
these numbers. If you wholly exclude Let's Encrypt from considerations, the
numbers remain fairly close - 86% of certificates in use are already
prepared, vs 13% which, when renewed, would have lower lifetimes.

However, this sort of analysis entirely misses the metapoint, which is that
this is both right and necessary for the security of users online, and
simply measuring the lifetime of extant certificates doesn't reveal
particularly compelling information. Of substance, and useful, is to
understand specifically the challenges and incompatibilities, so that a
holistic ecosystem view can be taken. I'm sure individual IT managers will,
out of understandable necessity, fixate on their local impact. We've seen
as much in discussions of HTTPS or any change in anything. However, that
does not mean that the changes are not justified or necessary; it merely
provides opportunities for CAs to better help their customers understand
the role in which normative requirements, such as those in the Baseline
Requirements or Root Programs, helps keep everyone secure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190826/7733b2bb/attachment.html>