CAcert Code Development list.

[Bernhard Fröhlich <bernhard AT cacert.org>]

Hello dear Policy Group,

about half a year ago, bug #1482 
<http://bugs.cacert.org/view.php?id=1482> has been reported.

Chromium and Apple intend to require from their accepted CAs that they 
only issue HTTPS certificates with a maximum lifetime of one year. This 
bug report requests that CAcert should follow this requirement.
Now, the technical change to implement this is absolutely trivial, but 
the current CPS explicitly states that certificates for assured members 
have a lifetime of 24 months, and IMHO it is not legitimate that the 
software development installs a software change that explicitly 
contradicts the CPS.

So policy group should discuss and decide whether we want to adopt this 
requirement (and therefor change the CPS) or not.


AFAIK the background of this requirement is the observation that all 
current revocation procedures have severe shortcomings and are therefore 
not widely implemented. So a certificate normally can used for its whole 
lifetime, even if its private key is known to be compromised.

The current strategy to mitigate this situation is obviously to go for 
shorter certificate lifetimes and automated re-issuing of certificates, 
like let's encrypt does this.



<paranoia>If you prefer darker scenarios one could also think that 
Google, as the driving force behind let's encrypt and Chrome, just wants 
to harass other CAs.</paranoia> But since it's a valid point that 
revocation is in fact not reliable, this proposal IMHO at least deserves 
a serious discussion.

So, what are your opinions?

Kind regards
Ted

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature