[Servercert-wg] Ballot SC22: Reduce Certificate Lifetimes

Chema Lopez clopez at firmaprofesional.com
Thu Sep 5 01:30:00 MST 2019 

Firmaprofesional votes no on Ballot SC22.



*Chema López*

Director Área Innovación, Cumplimiento y Tecnología

+34 666 429 224






*Barcelona  *Av. Torre Blanca 57, Edif. Esadecreapolis, Local 3B6 - 08173
Sant Cugat del Vallès | +34 934 774 245

*Madrid  *C/ Velázquez 59, 1º Ctro-Izda. - 28001 Madrid | +34 915 762 181


www.firmaprofesional.com



*El contenido de este correo electrónico y de sus anexos es confidencial.
Si usted recibe este mensaje por error, debe saber que está prohibido hacer
uso, divulgación y/o copia del mismo. En tal caso le agradeceríamos que
advierta de inmediato a su remitente y que proceda a destruir el mensaje.*



*Le informamos que, cumpliendo la normativa en materia de protección de
datos, FIRMAPROFESIONAL tratará sus datos con la finalidad de garantizar
las relaciones con la empresa, entidad u organización a la que usted
representa o en la que trabaja y por el período que dure dicha
relación. Podrá ejercer sus derechos de acceso, rectificación, supresión,
limitación, portabilidad y oposición al tratamiento ante el Responsable:
FIRMAPROFESIONAL, S.A., Av. Torre Blanca, 57, local 3B6 (Edificio
Esadecreapolis), 08173 Sant Cugat del Vallès (Barcelona), o bien mediante
correo electrónico a: rgpd at firmaprofesional.com
<rgpd at firmaprofesional.com>, en cualquier caso adjuntando una copia de su
D.N.I. o documento equivalente. Asimismo, podrá formular reclamaciones ante
la Agencia Española de Protección de Datos. Para más información puede
consultar nuestra política de privacidad
<https://www.firmaprofesional.com/esp/aviso-legal>.*


On Tue, 3 Sep 2019 at 01:16, Chris Bailey via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Entrust Datacard votes no on Ballot SC22.  Here are our reasons.
>
>
>
> 1. This ballot was proposed or endorsed by three browsers – Google,
> Mozilla, and Apple – and by one CA, Let’s Encrypt.  It was written to
> address certain hypothetical security issues, but no comprehensive security
> analysis was provided to demonstrate the value of these changes to the
> community as a whole.
>
>
>
> 2. Three Forum members polled their customers (the website
> owners/Subscribers) about the ballot – and the response to the ballot was
> overwhelmingly negative.
>
>
>
> *DigiCert:* 81% of responding customers oppose the ballot.  70% use no
> automation for certificate replacement, 13% are “mostly no” on use of
> automation.  Median company size: 2,800+ employees.  Number of respondents:
> 545.
>
> https://cabforum.org/pipermail/servercert-wg/2019-August/000900.html
> (basic results)
>
> https://cabforum.org/pipermail/servercert-wg/2019-August/000942.html
> (related customer comments)
>
>
>
> *Entrust Datacard: *83% of responding customers oppose the ballot.  75%
> use no automation for certificate replacement.  Median company size: 7,000+
> employees.  Number of respondents: 573.  350 more responses came in after
> we published the initial survey – the results were consistent
>
> https://cabforum.org/pipermail/servercert-wg/2019-August/000936.html
>
> *GoDaddy: *82% of responding customers oppose the ballot.  Only 26% of
> respondents use automation or “some automation” for their certificate
> replacement.  This survey focused on GoDaddy’s customer base, the small
> business. Number of respondents: 2,732.
>
> https://cabforum.org/pipermail/servercert-wg/2019-August/000991.html
>
>
>
> In total, *3,850 organizations* responded to these surveys, and *82% are
> opposed* to the ballot.  This is important data that should be considered
> by those who are proposing this ballot.
>
>
>
> DigiCert and Entrust Datacard also published hundreds of comments received
> with the survey.  As you see in the links above, many website owners are
> upset at the browsers who are promoting this ballot.  Unfortunately, the
> comments in opposition were dismissed and even ridiculed on the Server
> Certificate Working Group list.  Some website owners oppose automation of
> certificate replacement on a security basis, while others pointed out that
> automation is simply not possible in certain environments.  These are IT
> security experts for major enterprises, and their views should be carefully
> considered, not dismissed.
>
>
>
> We want to propose a better approach for this issue – to create a special
> ad hoc committee of browsers, CAs, website owners, and others to develop
> metrics by consensus on if and when certificate validity and data reuse
> periods should be shortened.  The Forum should listen to all voices and
> welcome outside expertise on such an important and highly controversial
> issue as this.
>
>
>
> For these reasons, we are voting no, and we urge other CAs and the
> browsers also to vote no and to work together in developing a better
> approach to addressing this issue.
>
>
>
>
>
> Thanks,
>
>
>
> Chris
>
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190905/200542ec/attachment.html>

More information about the Servercert-wg mailing list