On 27/03/2017 11:10, Gervase Markham wrote:
On 17/03/17 15:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S000000G3K2
Note that this is a _draft_ - the form parts will not work, and no CA
should attempt to use this URL or the form to send in any responses.
Here is another proposed question:
Certificate Validity Periods
Your attention is drawn to CAB Forum ballot 193, which recently passed.
This reduces the maximum permissible lifetime of certificates from 39 to
27 months, as of 1st March 2018. In addition, it reduces the amount of
time validation information can be reused, from 39 to 27 months, as of
31st March 2017. Please be aware of these deadlines so you can adjust
your practices accordingly.
While this has apparently already passed, the earlier date for
requiring revalidation is going to be a problem for any CA that has
already sold a large number (thousands, millions) of prepaid 3 year
contracts based on the assumption that validation costs would be
incurred by the CA only once during the contract period.
As I have noted elsewhere, at least one major CA (GlobalSign) has a
contract structure and issuance practice which assumes that the
validity of validation information is at least as long as the
certificate validity period. Thus for any 3-year GlobalSign
certificate issued in the past 2 years, GlobalSign would have already
promised the cert holders that the work and costs of doing certificate
validation had been fully completed at the time when payment was
collected.
This is all because the allowed validity of validation information is
being retroactively shortened within that validity period. It would
not have occurred if the shorter validity period of validity
information only applied to validity information gathered after a
deadline that isn't in the extremely near future (If someone orders an
OV cert *today* and pays *todays* price, the validation might not
complete until next week).
At least this needs to be considered when doing the next reduction (if any).
Mozilla is interested in, and the CAB Forum continues to discuss, the
possibility of further reductions in certificate lifetime. We see a
benefit here in reducing the overall turnover time it takes for an
improvement in practices or algorithms to make its way through the
entire WebPKI. Shorter times, carefully managed, also encourage the
ecosystem towards automation, which is beneficial when quick changes
need to be made in response to security incidents. Specifically, Mozilla
is currently considering a reduction to 13 months, effective as of 1st
March 2019 (2 years from now). Alternatively, several CAs have said that
the need for contract renegotiation is a significant issue when reducing
lifetimes, so in order that CAs will only have to do this once rather
than twice, another option would be to require the reduction from 1st
March 2018 (1 year from now), the current reduction date.
Please explain whether you would support such a further reduction dated
to one or both of those dates and, if not, what specifically prevents
you from lending your support to such a move. You may wish to reference
the discussion on the CAB Forum public mailing list to familiarise
yourself with the detailed arguments in favour of certificate lifetime
reduction.
Note that it is very common for all the underlying validity information
to be fixed for 2 or more years (for example domain registrations,
company registrations etc.), providing little reason to impose the
inconvenience and cost of short certificate lifespans onto every
ongoing business and every personal website on the planet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
