On Sat, 11 Jul 2020 11:06:56 +1000 Matt Palmer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > A histogram of the number of certificates grouped by their notBefore > date is going to show a heck of a bump on August 31, I'll wager. > Will be interesting to correlate notBefore with SCTs.
I expect there will be a modest number of entities which are all three of: 1. Aware this is happening in time to obtain certificates on or before August 31 2. Sufficiently unprepared for shorter certificate lifetimes still that they desire a longer lived certificate rather than just using new one year certificates (or automation). 3. And also organised enough to execute on a plan which obtains certificates in a timely fashion. But, there's no particular attraction to August 31 itself for these subscribers, once they meet these criteria why shouldn't they take action sooner? So I'd expect this bump to be quite small and also spread over days and weeks. For the subscribers who are too late, too bad. I'm sure from September for the next year or two commercial CAs will see some level of whining from disgruntled customers whose cheese has been moved and aren't happy about it. Some of it might leak here too. I don't anticipate a WoSign-style back-dating epidemic. The benefits to the subscriber are relatively small and the risk to a CA that gets caught is more obvious than ever. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy