On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> In principle any source of information could change just one minute
> later.  A domain could be sold, a company could declare bankruptcy, a
> personal domain owner could die.

Yup. And we balance the usability tradeoff.

> For smaller organizations (i.e. not Google), requesting and deploying
> new certificates every few years is a real hassle,

And that's a bug and needs to change. Plain and simple, that doesn't work
for security. But perhaps we're getting further off-topic, other than I
think the crux of your objection is that "Replacing certificates is hard",
when the reality is we should be striving to replace certificate every 90
days or less, and work to address the systemic and organizational issues
that prevent this.

> and often a
> non-trivial expense.  Forcing the paid, carefully validated
> certificates to be repurchased and reinstalled a lot more often imposes
> a real burden on real websites and real e-mail accounts.
> The previous CAB/F rule of 3 years max seemed to be a useful
> compromise, only slightly more difficult than the old 5 year offering
> from some CAs, and well within reason as to handling the frequency of
> ordinary changes in domain and company ownership/status that occur in
> the real world.

Unfortunately, that's long been held as undesirably long by browser
members, based on the surveys for several years. Unfortunately, CAs have
not been terribly interested in aligning this.

> The somewhat sudden (to outsiders) tendency to force frequent
> certificate replacements for those not using "Let's encrypt" seems
> arbitrary, harmful and mostly pointless.

Right, I think this philosophical difference - one in which I very much
think is actively harmful to security, even though I think it's a totally
understandable and reasonable position for you to hold - is perhaps the
crux of the objection on validating information. And that's useful to
acknowledge up front, and since we've arguably beat this horse to death,
acknowledge that it's merely a position statement being provided, and the
philosophical differences mean it's unlikely for everyone to be happy.
dev-security-policy mailing list

Reply via email to