On 07/02/17 05:15, Peter Bowen via Public wrote: > Assuming we all agree that > subscribers expect the certificates they already have to continue to > work until they expire, then the only way to increase the rate of > change is to reduce the maximum duration of validity.
For me, this is the key argument. Subscribers, I would postulate (not being a CA), don't like it when they get a call saying "even though we sold you a 2-year cert six months ago, you need to change it now". And many customers won't get the message anyway. I would like us to be able to make improvements to the CA ecosystem and have them fully worked through the system in a reasonable amount of time. The only way to do that without massive customer disruption is to shorten maximum validity periods, because customers will (almost!) always be aware of and have marked the expiry date of the new certificate they received as an important date by when they need to take action. > I think the answer to #2 is the lynchpin. Certificates can be quite > complex to install on some systems, frequently requiring downtime of > the system. How often should this be required? Again, for reasons of ecosystem agility and for better response to incidents, I would like to see automation much more widely deployed, but I recognise that's not the world we live in right now. So an immediate move to a probably-need-to-automate max validity like 3 months is not yet feasible. But I also think something like 2 years, while an improvement, would not drive the kind of change that is needed here. So I am coming to the conclusion that the 400 days proposal is the correct next step for the Forum here. (If people have other suggestions for encouraging the system towards automation, it would be great to hear those. But perhaps in a separate thread!) Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
