Gerv, I'm curious whether you would consider 18 months an appropriate target for a deprecation to 1 year certificates. That is, do you believe a transition to 1 year certificates requires 24 months or 18 months, or was it chosen simply for its appeal as a staggered number (1 year -> 2 year certs, 2 years -> 1 year certs)
On Mon, Mar 27, 2017 at 5:10 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 17/03/17 15:30, Gervase Markham wrote: > > The URL for the draft of the next CA Communication is here: > > https://mozilla-mozillacaprogram.cs54.force.com/Communications/ > CACommunicationSurveySample?CACommunicationId=a050S000000G3K2 > > > > Note that this is a _draft_ - the form parts will not work, and no CA > > should attempt to use this URL or the form to send in any responses. > > Here is another proposed question: > > Certificate Validity Periods > > Your attention is drawn to CAB Forum ballot 193, which recently passed. > This reduces the maximum permissible lifetime of certificates from 39 to > 27 months, as of 1st March 2018. In addition, it reduces the amount of > time validation information can be reused, from 39 to 27 months, as of > 31st March 2017. Please be aware of these deadlines so you can adjust > your practices accordingly. > > Mozilla is interested in, and the CAB Forum continues to discuss, the > possibility of further reductions in certificate lifetime. We see a > benefit here in reducing the overall turnover time it takes for an > improvement in practices or algorithms to make its way through the > entire WebPKI. Shorter times, carefully managed, also encourage the > ecosystem towards automation, which is beneficial when quick changes > need to be made in response to security incidents. Specifically, Mozilla > is currently considering a reduction to 13 months, effective as of 1st > March 2019 (2 years from now). Alternatively, several CAs have said that > the need for contract renegotiation is a significant issue when reducing > lifetimes, so in order that CAs will only have to do this once rather > than twice, another option would be to require the reduction from 1st > March 2018 (1 year from now), the current reduction date. > > Please explain whether you would support such a further reduction dated > to one or both of those dates and, if not, what specifically prevents > you from lending your support to such a move. You may wish to reference > the discussion on the CAB Forum public mailing list to familiarise > yourself with the detailed arguments in favour of certificate lifetime > reduction. > > > Comments, as always, are welcome. > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy