[Servercert-wg] Ballot SC-52 version 2: Specify CRL Validity Intervals in Seconds

Ryan Sleevi sleevi at google.com
Wed Jan 5 17:38:50 UTC 2022

On Wed, Jan 5, 2022 at 12:06 PM Aaron Gable <aaron at letsencrypt.org> wrote:

> If I may, I believe the disconnect in this conversation can be summarized
> as follows:
> - It is understood that the current requirements are upper bounds, and
> that CAs should be scheduling their recurring tasks at intervals notably
> less than the strict requirements.
> - But at the same time, scheduling things to occur every 23 hours or every
> 11 months is relatively inconvenient, compared to scheduling things every
> 24 hours or 12 months.

I *think* there may be a third disconnect as well:
- Reading the clarifications (for hours & days) as also applying to longer
periods, particularly those in the NCSSRs.

I realized after seeing the discussion of weeks, that this might be getting
interpreted as also applying to the NCSSRs. If they had been incorporated
into the BRs, that's totally a risk, but the work to extract them into a
new WG seems to suggest otherwise. In that document, the discussion may be

I highlight this as a disconnect, because the NCSSRs already have the slack
built in (by using the vaguer terms that are subject to auditor
interpretation, rather than consistent interpretation); "at least an annual
basis" is such an example.

> My contrasting suggestion would be that, instead, one might schedule
> recurring tasks for 12 hours and 6 months respectively, which are both
> convenient and come in generously below the requirements.

Yes, exactly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20220105/84348667/attachment.html>

More information about the Servercert-wg mailing list