[cabf_validation] Draft Ballot SCXX: Improve Certificate Lifetimes

Ryan Sleevi sleevi at google.com
Fri Jul 26 09:51:10 MST 2019 

Thanks Wayne, that's a great suggestion, which I've now made in [1], and
you can see with all the other changes at [2]

[1]
https://github.com/sleevi/cabforum-docs/commit/8eea7514b83119b7004f2812f91748d6d2510424
[2] https://github.com/cabforum/documents/pull/138/files

On Fri, Jul 26, 2019 at 12:33 PM Wayne Thayer <wthayer at mozilla.com> wrote:

> I'd suggest that the Validity Period requirement for .onion certs in
> Appendix F be modified as follows to eliminate any potential
> confusion/misinterpretation:
>
> > Prior to March 1, 2020, CAs MUST NOT issue a Certificate that includes a
> Domain Name where .onion is in the right-most label of the Domain Name with
> a Validity Period longer than 15 months.
>
> Otherwise, one logical interpretation of this requirement after the
> effective date is that it overrides the 397 day limit. I don't think that's
> the intent.
>
> - Wayne
>
> On Fri, Jul 26, 2019 at 8:53 AM Ryan Sleevi <sleevi at google.com> wrote:
>
>> As discussed on the last validation call, and previously at the
>> CA/Browser Forum F2F, I've provided a draft ballot redline [1] to improve
>> the certificate lifetimes. This is created as a Draft Pull Request to allow
>> others to point out issues, and the current fixed commit version is [2],
>> since [1] will be updated if/as feedback is received.
>>
>> This Ballot modifies the Baseline Requirements and EV Guidelines to
>> harmonize on a 397-day Validity Period on 1 March 2020, two years after the
>> adoption of the 825-lifetime of Ballot 193 (and subsequently modified by
>> Ballot 197).
>>
>> A few explanations:
>> - The choice of 397 days represents the maximum legitimate interpretation
>> of a "thirteen-month" period; it's calculated from 366 days (considering
>> leap years) along with a 31-day month, the longest in the calendar used by
>> certificates.
>> - It harmonizes the EV Guidelines with the BR Requirements, given that
>> since 1 March 2018, the two have been aligned in their upper-bounds.
>> - It clarifies the existing EV Guidelines "thirteen month" to a 397-day
>> period, to both remove ambiguity and to harmonize expectations. This
>> /should/ be a no-op, unless some CAs have been misinterpreting "thirteen
>> months" as meaning that they could consider 1 Jan 2018 - 28 Feb 2019 as
>> "thirteen months" ("occurring in the thirteenth month")
>> - It resolves one area that had been flagged for cleanup; namely, Ballots
>> 193 & 197 left a linguistic ambiguity in BRGs Section 6.3.2 with respect to
>> what the maximally permitted validity period was/is exactly on 1 March 2018
>> (with interpretations proffered of "no restrictions", "39 months", and "825
>> days"). As a practical matter, root programs interpreted and enforced this
>> requirement as 825 days, consistent with Section 4.2.1 which used the
>> 'correct' language of "on or after"; this is largely a no-op considering
>> it's in the past.
>> - This also makes a minor correction to the EVGs Appendix F to correct
>> "validity period" to its proper term "Validity Period"
>>
>> Other changes considered, but not incorporated in this draft:
>> - An area of ambiguity that has been raised by CAs is whether or not
>> fractional days "count". That is, if a certificate is issued on 2020-03-01
>> 00:00:00, is the maximum permissible validity period 2021-04-02 00:00:00 or
>> is it 2021-04-02 23:59:59?
>>   - I'm firmly of the view that "fractional days mean greater than 0
>> days" and thus 23:59:59 would be a validity period exceeding 397 days (aka
>> a violation of the requirement)
>>   - This seems to be consistent with some members past explanations and
>> interpretations. For example, in the past, some CAs have suggested that we
>> clarify such periods based on seconds; for example "397 days, measured as
>> 86400 second days" or some variation like that, which would align how root
>> programs are computing and enforcing such periods
>>   - If folks are concerned about CAs being tripped up on this, I'm happy
>> to incorporate language that folks may wish to suggest to clarify that
>> fractional days count as exceeding the period specified.
>> - This modifies the EVGs 9.4 to refer to the "Baseline Requirements".
>> There are other sections nearby (e.g. 9.5 / 9.6) that refer to "Baseline
>> requirements" (non-proper term). Those will be punted for spring cleaning.
>>
>> I'm curious for feedback on these proposed changes and looking for
>> potential endorsers for providing a ballot to the CA/Browser Forum's Server
>> Certificate Working Group as a whole.
>>
>>
>> [1] https://github.com/cabforum/documents/pull/138/files
>> [2]
>> https://github.com/cabforum/documents/compare/master...sleevi:af8f70db71c8284e78fb5b907972e2062c60b14f
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190726/cdf90e97/attachment-0001.html>

More information about the Validation mailing list