On Sat, 11 Jul 2020 11:06:56 +1000
Matt Palmer via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
> A histogram of the number of certificates grouped by their notBefore
> date is going to show a heck of a bump on August 31, I'll wager.
> Will be interesting to correlate notBefore with SCTs.

I expect there will be a modest number of entities which are all three
of:

1. Aware this is happening in time to obtain certificates on or before
  August 31

2. Sufficiently unprepared for shorter certificate lifetimes still
  that they desire a longer lived certificate rather than just using new
  one year certificates (or automation).

3. And also organised enough to execute on a plan which obtains
  certificates in a timely fashion.

But, there's no particular attraction to August 31 itself for these
subscribers, once they meet these criteria why shouldn't they take
action sooner? So I'd expect this bump to be quite small and also
spread over days and weeks.

For the subscribers who are too late, too bad. I'm sure from September
for the next year or two commercial CAs will see some level of whining
from disgruntled customers whose cheese has been moved and aren't happy
about it. Some of it might leak here too.

I don't anticipate a WoSign-style back-dating epidemic. The benefits to
the subscriber are relatively small and the risk to a CA that gets
caught is more obvious than ever.


Nick.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to