GoDaddy votes No.
Our primary reasons for voting against are:
1. There was no attempt to build consensus around this ballot. While we
recognize that it takes a concrete proposal to spur action, we don’t believe
the discussion was constructive or that nearly enough time was allowed to find
common ground.
2. The 6-month deadline in the revised ballot represents consensus on how
long CAs should need to implement a change of this sort, but allowing more time
for planning can minimize the impact to all involved. For example:
* Giving large companies time to plan and budget for better automation
or more resources.
* Getting the word out to resellers who also need to notify their
customers and make changes to their systems.
* Allowing CAs time to work with customers to fulfill or modify prior
obligations such as enterprise contracts, retail sales of new multi-year
certificates, or reissuance of multi-year certificates.
We’d like to understand the specific concerns driving the tight timeline and
weigh them against the benefits gained from a moderately later effective date.
Thanks,
Wayne
From: Public [mailto:[email protected]] On Behalf Of Ryan Sleevi via
Public
Sent: Monday, February 13, 2017 12:18 PM
To: CABFPub <[email protected]>
Cc: Ryan Sleevi <[email protected]>
Subject: [cabfpub] Ballot 185 (Revised) - Limiting the Lifetime of Certificates
Pursuant to the consensus on
https://cabforum.org/pipermail/public/2017-February/009530.html about the
nature of changes during the discussion period, and the request from Gervase on
https://cabforum.org/pipermail/public/2017-February/009618.html to adjust what
represents the Baseline agreement, this adjusts the effective date from 1 April
to 24 August. While individual programs may choose to enact or enforce
requirements prior to that, as the Baseline Requirements capture the effective
point of common agreement of the bare minimum security levels, it seems
appropriate that this Ballot accurately reflect that.
Ballot 185 - Limiting the Lifetime of Certificates
The following motion has been proposed by Ryan Sleevi of Google, Inc and
endorsed by Josh Aas of ISRG and Gervase Markham of Mozilla to introduce new
Final Maintenance Guidelines for the "Baseline Requirements Certificate Policy
for the Issuance and Management of Publicly-Trusted Certificates" and the
"Guidelines for the Issuance and Management of Extended Validation Certificates"
-- MOTION BEGINS --
Modify Section 6.3.2 of the "Baseline Requirements Certificate Policy for the
Issuance and Management of Publicly-Trusted Certificates" as follows:
Replace Section 6.3.2, which reads as follows:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods
Subscriber Certificates issued after the Effective Date MUST have a Validity
Period no greater than 60 months.
Except as provided for below, Subscriber Certificates issued after 1 April 2015
MUST have a Validity Period
no greater than 39 months.
Until 30 June 2016, CAs MAY continue to issue Subscriber Certificates with a
Validity Period greater than 39
months but not greater than 60 months provided that the CA documents that the
Certificate is for a system or
software that:
(a) was in use prior to the Effective Date;
(b) is currently in use by either the Applicant or a substantial number of
Relying Parties;
(c) fails to operate if the Validity Period is shorter than 60 months;
(d) does not contain known security risks to Relying Parties; and
(e) is difficult to patch or replace without substantial economic outlay
"""
with the following text:
"""
6.3.2. Certificate Operational Periods and Key Pair Usage Periods
Subscriber Certificates issued on or after 24 August 2017 MUST NOT have a
Validity Period greater than three hundred and ninety-eight (398) days.
Subscriber Certificates issued prior to 24 August 2017 MUST NOT have a Validity
Period greater than thirty-nine (39) months.
"""
Modify Section 9.4 of the "Guidelines for the Issuance and Management of
Extended Validation Certificates" as follows:
Replace Section 9.4, which reads as follows:
"""
9.4. Maximum Validity Period For EV Certificate
The validity period for an EV Certificate SHALL NOT exceed twenty seven months.
It is RECOMMENDED that EV
Subscriber Certificates have a maximum validity period of twelve months.
"""
with the following text:
""""
9.4 Maximum Validity Period for EV Certificate
EV Certificates issued on or after 24 August 2017 MUST NOT have a Validity
Period greater than three hundred and ninety-eight (398) days.
EV Certificates issued prior to 24 August 2017 MUST NOT have a Validity Period
greater than twenty seven (27) months.
"""
-- MOTION ENDS --
Ballot 185 - Limiting the Lifetime of Certificates
Status: Final Maintenance Guideline
Review Period:
Start Time: 2017-02-10 00:00:00 UTC
End Time: 2017-02-17 00:00:00 UTC
Vote for Approval:
Start Time: 2017-02-17 00:00:00 UTC
End Time: 2017-02-24 00:00:00 UTC
Votes must be cast by posting an on-list reply to this thread on the Public
Mail List.
A vote in favor of the ballot must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain must
indicate a clear 'abstain' in the response. Unclear responses will not be
counted. The latest vote received from any representative of a voting Member
before the close of the voting period will be counted. Voting Members are
listed here: https://cabforum.org/members/
In order for the ballot to be adopted, two thirds or more of the votes cast by
Members in the CA category and greater than 50% of the votes cast by members in
the browser category must be in favor.
_______________________________________________
Public mailing list
[email protected]
https://cabforum.org/mailman/listinfo/public
