If You Don’t Like Your CA’s Practices, Find One More Sympatico

Entrust CTO

The following Mozilla bug came my way via the Cryptography mailing list.

The gist of it is that a Norton (né VeriSign) customer asked for a certificate with two-year certificate, and got one with six-year validity. I don’t precisely understand why the customer is complaining to Mozilla, but they didn’t get satisfaction with Norton, who wouldn’t do what they want.

I can understand the irritation. Norton has just assumed that the customer will continue buying for six years and has left what happens if they don’t as an eventuality. I’d hate it too if any supplier of mine just assumed that I’d keep buying. It’s an affront on the customer service side.

That customer in question is also upset that the new CA/Browser Forum Baseline Requirements for issuing certificates says they shouldn’t be longer than five years, and those requirements go in effect in two months. Norton’s reply seems to be that since the new requirements don’t take effect until July 1, they are in compliance.

Part of me would shrug this off. Despite the fact that I am a huge supporter of short lifetime certificates (my paper on the value of them among other things is now nine years old), and I believe that this is something on which gentlepersons can disagree. If a CA wants to run six-year CRLs and deal with what happens if the customer decides they want someone new, well, that’s their business practice.

Strictly speaking, they’re also right since the new baseline requirements haven’t taken effect, they don’t have to comply with them yet.

But really! That six-year certificate is going to be valid for five years and ten months after it is no longer compliant! The customer wanted a two year certificate, at least in part because they believe that short certificate lifetimes lead to better security. There are people who believe that CAs want to do the least work for the most money, don’t care about the end user, and find security standards to be something that gets in the way. This behavior and attitude only reinforces that belief.

To the person who’s upset and anyone else, I would like to say that you don’t have to stay with your present CA if you don’t like their business practices. Here at Entrust we:

  • Offer flexible validity and reissuance that you can manage yourself.
  • Don’t force you into non-compliant certificates.
  • Don’t presume that we have you forever.
  • Have real customer service.
  • Consider our and your security to be the whole reason we have a relationship.
  • Are even less expensive than most other alternatives.

If you don’t like what your CA is doing, you don’t have to complain to Mozilla. You can complain to us. We can handle the problem better than they can, too.

Entrust CTO
Entrust CTO
Chief Technology Officer


Add to the Conversation