HARICA participated in the discussion of ballot 185. Our concerns can be
summarized in the following:
* This proposal will raise the administrative overhead of Subscribers
significantly (from where it is today). System administrators time
is considered "expensive" thus, this proposal raises the cost for
Subscribers. We support automation tools for web sites but there are
more things to consider:
o SSL/TLS certificates are used for more than web services (FTPs,
LDAPs, IMAPs, POP3s, Radius, SMTP, etc). Subscribers operating
such services don't currently have the necessary tools to
automate the renewal process every year and it is not
anticipated that such tools will exist anytime soon (even in the
year to come).
o Some SSL/TLS certificates are used in Federated Services which
require out-of-bad distribution (a very manual process).
o There are many legacy devices that don't support automation in
certificate management (Wireless Access Points, VPN servers, etc).
* The CA/B Forum supports and requires ONLY _secure_ (to the best of
the community's knowledge) cryptographic algorithms in the Baseline
Requirements. These algorithms have a lifetime expectancy for
sustaining attacks and factoring, of several years. In cases where
an algorithm was proven or was even considered as insecure,
appropriate deprecation measures were adopted, consistent with the
vulnerabilities and threats. Of course there are lessons to be
learned, and this process must be improved, even standardized.
Requiring certificates to be issued every year does not substitute
the necessity for appropriate deprecation measures.
* We consider Google's S/MIME policy
<https://support.google.com/a/answer/7300887> for certificate
validity of 27 months, as the best next-step forward that should be
adopted by the CA/B Forum for the Baseline Requirements. It will
still raise the administrative overhead for Subscribers but it will
be less aggressive and easier to adopt.
For the reasons above, HARICA votes "no" for ballot 185.
We would support creating an agreed-upon questionnaire by the Forum
members (the same questionnaire for everyone) that will address most or
all of the concerns raised in the discussion period of ballot 185. This
questionnaire would be forwarded to CA Subscribers thus acquiring
consistent, concrete data that will help the Forum decide future steps
regarding the certificate validity period and domain validation (or
re-validation). We may come back to this in a different thread, after
the end of the voting period.
Best regards,
Dimitris Zacharopoulos.
On 13/2/2017 9:18 μμ, Ryan Sleevi via Public wrote:
Pursuant to the consensus on
https://cabforum.org/pipermail/public/2017-February/009530.html about
the nature of changes during the discussion period, and the request
from Gervase on
https://cabforum.org/pipermail/public/2017-February/009618.html to
adjust what represents the Baseline agreement, this adjusts the
effective date from 1 April to 24 August. While individual programs
may choose to enact or enforce requirements prior to that, as the
Baseline Requirements capture the effective point of common agreement
of the bare minimum security levels, it seems appropriate that this
Ballot accurately reflect that.
Ballot 185 - Limiting the Lifetime of Certificates
The following motion has been proposed by Ryan Sleevi of Google, Inc
and endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to
introduce new Final Maintenance Guidelines for the "Baseline
Requirements Certificate Policy for the Issuance and Management of
Publicly-Trusted Certificates" and the "Guidelines for the Issuance
and Management of Extended Validation Certificates"
-- MOTION BEGINS --
Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy
for the Issuance and Management of Publicly-Trusted Certificates" as
follows:
Replace Section 6.3.2, which reads as follows:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods
Subscriber Certificates issued after the Effective Date MUST have a
Validity Period no greater than 60 months.
Except as provided for below, Subscriber Certificates issued after 1
April 2015 MUST have a Validity Period
no greater than 39 months.
Until 30 June 2016, CAs MAY continue to issue Subscriber Certificates
with a Validity Period greater than 39
months but not greater than 60 months provided that the CA documents
that the Certificate is for a system or
software that:
(a) was in use prior to the Effective Date;
(b) is currently in use by either the Applicant or a substantial
number of Relying Parties;
(c) fails to operate if the Validity Period is shorter than 60 months;
(d) does not contain known security risks to Relying Parties; and
(e) is difficult to patch or replace without substantial economic outlay
"""
with the following text:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods
Subscriber Certificates issued on or after 24 August 2017 MUST NOT
have a Validity Period greater than three hundred and ninety-eight
(398) days.
Subscriber Certificates issued prior to 24 August 2017 MUST NOT have a
Validity Period greater than thirty-nine (39) months.
"""
Modify Section 9.4 of the "Guidelines for the Issuance and Management
of Extended Validation Certificates" as follows:
Replace Section 9.4, which reads as follows:
"""
9.4. Maximum Validity Period For EV Certificate
The validity period for an EV Certificate SHALL NOT exceed twenty
seven months. It is RECOMMENDED that EV
Subscriber Certificates have a maximum validity period of twelve months.
"""
with the following text:
""""
9.4 Maximum Validity Period for EV Certificate
EV Certificates issued on or after 24 August 2017 MUST NOT have a
Validity Period greater than three hundred and ninety-eight (398) days.
EV Certificates issued prior to 24 August 2017 MUST NOT have a
Validity Period greater than twenty seven (27) months.
"""
-- MOTION ENDS --
Ballot 185 - Limiting the Lifetime of Certificates
Status: Final Maintenance Guideline
Review Period:
Start Time: 2017-02-10 00:00:00 UTC
End Time: 2017-02-17 00:00:00 UTC
Vote for Approval:
Start Time: 2017-02-17 00:00:00 UTC
End Time: 2017-02-24 00:00:00 UTC
Votes must be cast by posting an on-list reply to this thread on the
Public Mail List.
A vote in favor of the ballot must indicate a clear 'yes' in the
response. A vote against must indicate a clear 'no' in the response. A
vote to abstain must indicate a clear 'abstain' in the response.
Unclear responses will not be counted. The latest vote received from
any representative of a voting Member before the close of the voting
period will be counted. Voting Members are listed here:
https://cabforum.org/members/
In order for the ballot to be adopted, two thirds or more of the votes
cast by Members in the CA category and greater than 50% of the votes
cast by members in the browser category must be in favor.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
