Daniel Veditz, the security lead at Mozilla said that he sees why CAs might have a problem with this from a business and legal standpoint. If a CA already sold a "product" — in this case a certificate — in the past with certain terms and would later violate those terms by deciding to reduce the certificate's validity period, they might be in hot water, he said.
"Although it does seem as if reissuing as a 60-month cert with the promise to reissue with the balance later ought to be satisfactory," Vediz said.
Markham agreed. "No one is asking CAs to not give customers what they've paid for in terms of duration; it will just need to be 2 (or more) separate certs," he said. "I agree that changing certs once every 5 years rather than every 10 might be a minor inconvenience for customers who use the same web server hardware and software for more than 5 years, but I'm not sure how large a group that is."
Mozilla's PR firm in the U.K. could not immediately provide a statement from the company regarding this issue.
Sign up for Computerworld eNewsletters.