I'm curious whether you would consider 18 months an appropriate target for
a deprecation to 1 year certificates. That is, do you believe a transition
to 1 year certificates requires 24 months or 18 months, or was it chosen
simply for its appeal as a staggered number (1 year -> 2 year certs, 2
years -> 1 year certs)

On Mon, Mar 27, 2017 at 5:10 AM, Gervase Markham via dev-security-policy <> wrote:

> On 17/03/17 15:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> >
> CACommunicationSurveySample?CACommunicationId=a050S000000G3K2
> >
> > Note that this is a _draft_ - the form parts will not work, and no CA
> > should attempt to use this URL or the form to send in any responses.
> Here is another proposed question:
> Certificate Validity Periods
> Your attention is drawn to CAB Forum ballot 193, which recently passed.
> This reduces the maximum permissible lifetime of certificates from 39 to
> 27 months, as of 1st March 2018. In addition, it reduces the amount of
> time validation information can be reused, from 39 to 27 months, as of
> 31st March 2017. Please be aware of these deadlines so you can adjust
> your practices accordingly.
> Mozilla is interested in, and the CAB Forum continues to discuss, the
> possibility of further reductions in certificate lifetime. We see a
> benefit here in reducing the overall turnover time it takes for an
> improvement in practices or algorithms to make its way through the
> entire WebPKI. Shorter times, carefully managed, also encourage the
> ecosystem towards automation, which is beneficial when quick changes
> need to be made in response to security incidents. Specifically, Mozilla
> is currently considering a reduction to 13 months, effective as of 1st
> March 2019 (2 years from now). Alternatively, several CAs have said that
> the need for contract renegotiation is a significant issue when reducing
> lifetimes, so in order that CAs will only have to do this once rather
> than twice, another option would be to require the reduction from 1st
> March 2018 (1 year from now), the current reduction date.
> Please explain whether you would support such a further reduction dated
> to one or both of those dates and, if not, what specifically prevents
> you from lending your support to such a move. You may wish to reference
> the discussion on the CAB Forum public mailing list to familiarise
> yourself with the detailed arguments in favour of certificate lifetime
> reduction.
> Comments, as always, are welcome.
> Gerv
> _______________________________________________
> dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to