[cabfpub] about EV period for Gov
sleevi at google.com
Tue Nov 18 07:36:31 MST 2014
On Nov 18, 2014 7:26 AM, "Rich Smith" <richard.smith at comodo.com> wrote:
> Gerv and Ryan,
> I agree with both your reasoning as to 5 year certs, but I think you've
> also mis-understood Richard's request. He is asking that EVs be allowed
> 39 months, not 60, for government sites.
No, I understood perfectly well. The point was that 60 months (current BRs)
is too long, and the 39 months was a compromise with CAs, but not one that
reflects a good security posture. That it takes 3 years to roll out changes
is hardly a feature.
> I'm against that proposal, but
> only because I don't think it's wise to carve out a special rule just for
> one type of client. I would like to suggest however, that now that we
> agreed to a max 39 months for TLS certs in the BR, how about we allow EVs
> for 39 months along with DV and OV certs. Given the extra vetting that
> into EV, I don't think this would create any additional threat than
> DV/OV for 39 months, in fact I think allowing 39 for EV is probably less
> problematic from a vetting point of view, and doesn't change your points
> about rolling out security enhancements significantly given that DV/OV
> represent the majority of certificates issued.
I suspect we will disagree on this point. Rather than weaken the EVs
because the BRs are weak, why not strengthen the BRs and limit them to 27
months as well?
> I don't really have strong feelings about this proposal either way, but I
> think it would make things easier on all parties involved if we settled
> single max lifetime for all TLS certificates at this point. 27 months was
> chosen for EV years before this group even conceived of the BRs and was
> chosen partially at least because there was no limit on the lifetime of
> certificates at all at the time, and it was rather arbitrary. We've now
> settled on 39 months as a max lifetime for TLS certs, and even if you
> that should be shortened further, should that debate come up, I think it
> would be better if the debate encompassed all TLS certs rather than
> continuing to have to debate two separate, arbitrary time frames.
So would you support limiting the BRs to 27 months in order to harmonize?
Or to 15 months across the board?
> > -----Original Message-----
> > From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> > On Behalf Of Gervase Markham
> > Sent: Tuesday, November 18, 2014 4:21 AM
> > To: Ryan Sleevi; "Richard at WoSignrichard"@wosign.com
> > Cc: Dean Coclin (Dean_Coclin at symantec.com); CABFPub
> > Subject: Re: [cabfpub] about EV period for Gov
> > On 18/11/14 06:45, Ryan Sleevi wrote:
> > > The limitations of date do not just apply to vetting information, but
> > > to providing an orderly and efficient window for making improvements
> > > and deprecating insecure practices.
> > I think this is the key point here. Certs have a limited life so that
> > we can make sure that all certs get security and process improvements
> > in a reasonable timeframe. As Ryan says, 3 years is still a long time
> > and it would be nice if it was shorter, but 5 years is way, way too
> > long.
> > If the government were willing to say "OK, if you give us a 5 years
> > cert, we understand that you may tell us to revoke it and replace it at
> > any time and we are cool with that", that might be OK - but if that's
> > true, why can't they just have a 3-year cert?
> > Gerv
> > _______________________________________________
> > Public mailing list
> > Public at cabforum.org
> > https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public