Hi all! >From the discussions we had in the last months internally at Siemens IT >department about the 825 days rule, I can report that our server operators >need a long term roadmap in this issue. The main point here is, that there are >a hell lot of applications out there that don't (easily) support automated >SSL/TLS certificate replacement (e.g. some SAP systems). To enable those >systems to support automated certificate replacement a significant amount of >money will need to be invested. To get approval for such an investment, one >needs to calculate a business case. And this business case looks obviously >much different, if a certificate on a system needs to be replaced every 825 >days, 731 days, 366 days or even 90 days. So I would like to propose not to >start discuss about the next reduction step now, but agree on a clear >(semi-)final goal (e.g. max life span of a certificate is 45 days in 2023 >(five years from now)) and then agree on the intermediate steps to reach this >goal.
With best regards, Rufus Buschart Siemens AG GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.siemens.com/ingenuityforlife -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+rufus.buschart=siemens....@lists.mozilla.org] On Behalf Of Alex Gaynor via dev-security-policy Sent: Montag, 2. April 2018 20:51 To: Tim Hollebeek Cc: MozPol Subject: Re: 825 days success and future progress! Hi Tim, I'd have suggested an even shorter period, say 13 months, except I anticipated CAs would object that it was too great a change too suddenly, precisely as they did when this subject was last discussed! While I appreciate that changing BRs can be difficult for customer communications, the fact that we are doing this in multiple steps instead of in one fell swoop is a result of CAs saying such a big leap was too disruptive. Frankly, you can't have it both ways. Alex On Mon, Apr 2, 2018 at 2:28 PM, Tim Hollebeek <tim.holleb...@digicert.com> wrote: > 18 months is not significantly different from 825 days. So there's really > no benefit. > > People have to stop wanting to constantly change the max validity period. > It's difficult enough to communicate these changes to consumers and > customers, and it really drives them nuts. I can only imagine what a > non-integral number of years will do to various company's planning and > budgeting processes. > > I would propose, instead, a minimum one year moratorium on proposals > to change the max validity period after the previous change to the max > validity period goes into effect. That would make much more sense. > > -Tim > > > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+tim.hollebeek=digicert....@lists.mozilla.org] On Behalf Of > > bounces+Alex > > Gaynor via dev-security-policy > > Sent: Monday, April 2, 2018 1:07 PM > > To: MozPol <mozilla-dev-security-pol...@lists.mozilla.org> > > Subject: 825 days success and future progress! > > > > Afternoon all! > > > > A month ago a new BR rule went into effect, putting a maximum > > validity > period > > of 825 days on newly issued certificates. > > > > Truthfully, I was expecting tons of CAs to screw up, forget to > > implement > it, or > > have no technical controls, and there to be tons of miss-issuance. > > To me delight, the results have been pretty good: > > https://crt.sh/?zlint=1081&minNotBefore=2018-03-01 the majority of > > violations have been from the US Government (whose PKI isn't > > remotely BR compliant, nor trusted by Mozilla). > > > > In light of this incredible success, I think it's time to begin a > discussion on what > > the next in this chain is. While obviously actually encoding this in > > the > BRs will > > be a function of the CABF, as mdsp is the premier public discussion > > forum > for > > the PKI, I wanted to start here. > > > > I propose that our next target should be a max validity period of 18 > months > > (~550 days), starting in ~6 months from now. > > > > The value of shorter-lived certificates has been discussed many > > times, > but > to > > rehash: They afford the ecosystem significantly more agility, by > > allowing > us to > > remove mistakes in shorter periods of time without breaking valid > certificates. > > It also encourages subscribers to adopt more automation, which > > further > helps > > with agility. > > > > Alex > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
