On 17/03/17 15:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S000000G3K2 > > Note that this is a _draft_ - the form parts will not work, and no CA > should attempt to use this URL or the form to send in any responses.
Here is another proposed question: Certificate Validity Periods Your attention is drawn to CAB Forum ballot 193, which recently passed. This reduces the maximum permissible lifetime of certificates from 39 to 27 months, as of 1st March 2018. In addition, it reduces the amount of time validation information can be reused, from 39 to 27 months, as of 31st March 2017. Please be aware of these deadlines so you can adjust your practices accordingly. Mozilla is interested in, and the CAB Forum continues to discuss, the possibility of further reductions in certificate lifetime. We see a benefit here in reducing the overall turnover time it takes for an improvement in practices or algorithms to make its way through the entire WebPKI. Shorter times, carefully managed, also encourage the ecosystem towards automation, which is beneficial when quick changes need to be made in response to security incidents. Specifically, Mozilla is currently considering a reduction to 13 months, effective as of 1st March 2019 (2 years from now). Alternatively, several CAs have said that the need for contract renegotiation is a significant issue when reducing lifetimes, so in order that CAs will only have to do this once rather than twice, another option would be to require the reduction from 1st March 2018 (1 year from now), the current reduction date. Please explain whether you would support such a further reduction dated to one or both of those dates and, if not, what specifically prevents you from lending your support to such a move. You may wish to reference the discussion on the CAB Forum public mailing list to familiarise yourself with the detailed arguments in favour of certificate lifetime reduction. Comments, as always, are welcome. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy