If You Don’t Like Your CA’s Practices, Find One More Sympatico

April 24, 2012 by Jon Callas     No Comments

The following Mozilla bug came my way via the Cryptography mailing list.

The gist of it is that a Norton (né VeriSign) customer asked for a certificate with two-year certificate, and got one with six-year validity. I don’t precisely understand why the customer is complaining to Mozilla, but they didn’t get satisfaction with Norton, who wouldn’t do what they want.

I can understand the irritation. Norton has just assumed that the customer will continue buying for six years and has left what happens if they don’t as an eventuality. I’d hate it too if any supplier of mine just assumed that I’d keep buying. It’s an affront on the customer service side.

That customer in question is also upset that the new CA/Browser Forum Baseline Requirements for issuing certificates says they shouldn’t be longer than five years, and those requirements go in effect in two months. Norton’s reply seems to be that since the new requirements don’t take effect until July 1, they are in compliance.

Part of me would shrug this off. Despite the fact that I am a huge supporter of short lifetime certificates (my paper on the value of them among other things is now nine years old), and I believe that this is something on which gentlepersons can disagree. If a CA wants to run six-year CRLs and deal with what happens if the customer decides they want someone new, well, that’s their business practice.

Strictly speaking, they’re also right since the new baseline requirements haven’t taken effect, they don’t have to comply with them yet.

But really! That six-year certificate is going to be valid for five years and ten months after it is no longer compliant! The customer wanted a two year certificate, at least in part because they believe that short certificate lifetimes lead to better security. There are people who believe that CAs want to do the least work for the most money, don’t care about the end user, and find security standards to be something that gets in the way. This behavior and attitude only reinforces that belief.

To the person who’s upset and anyone else, I would like to say that you don’t have to stay with your present CA if you don’t like their business practices. Here at Entrust we:

  • Offer flexible validity and reissuance that you can manage yourself.
  • Don’t force you into non-compliant certificates.
  • Don’t presume that we have you forever.
  • Have real customer service.
  • Consider our and your security to be the whole reason we have a relationship.
  • Are even less expensive than most other alternatives.

If you don’t like what your CA is doing, you don’t have to complain to Mozilla. You can complain to us. We can handle the problem better than they can, too.

Jon Callas


Jon Callas has over 30 years of experience and served as Entrust’s Chief Technology Officer. Prior to joining Entrust, Callas co-founded PGP Corporation which specialized in email and data encryption software. Over the course of more than fifteen years, Callas held leadership functions including CTO and CSO. Most recently, he also served as an operating system security expert with Apple. Additionally, he has held leadership positions with corporations including Wave Systems Corporation, Digital Equipment Corporation and Counterpane Internet Security Inc. He has also authored several Internet Engineering Task Force (IETF) standards including OpenPGP, DKIM, and ZRTP.

Add to the Conversation