About 99.99% of people and organisations are neither CAs nor Browsers. Hence they have no representation in the CAB Forum.

Hardly 'by definition niche' IMHO.

The pitch here wasn't that only a few people get a vote, it was that the people making the decisions aren't aware of how "the wider world" works. And they are, clearly. The people making Chrome/Firefox and the people running the CAs every publicly-trusted site uses are aware of what their products do, and how they are used.

They're aware of the major use cases. I doubt the minority cases are even on their radar.

So great for E-Commerce, not so great for anyone else.

>which includes basically every entity that ships a popular web browser and every entity that ships certificates trusted in those browsers.

So no one that actually has to renew these certificates.

Hey! How long does a root certificate from a certificate authority last?

10 to 25 years?

Why don't those last 120 minutes? They're responsible for the "security" of the whole internet aren't they?

It’s capped to 15 years.

In another comment someone linked to a document from the Chrome team.

Here’s a quote that I found interesting:

“In Chrome Root Program Policy 1.5, we landed changes that set a maximum ‘term-limit’ (i.e., period of inclusion) for root CA certificates included in the Chrome Root Store to 15 years.

While we still prefer a more agile approach, and may again explore this in the future, we encourage CA Owners to explore how they can adopt more frequent root rotation.”

https://googlechrome.github.io/chromerootprogram/moving-forw...

It’ll be 5 years soon.

> So no one that actually has to renew these certificates.

I believe google, who maintain chrome and are on the CAB, are an entity well known for hosting various websites (iirc, it's their primary source of income), and those websites do use https

It's almost like the threat models for CA and leaf certs are different.

Yes, foot certs are much more sensitive than leaf certs.

Which is why root certs are stored in HSMs, there’s a well defined total set of them, and if the owner violates any of the rules around handling of them, the CAB can put them out of business.

You're kidding, right? You've never seen a server completely inaccessible just because the owner had trouble renewing the cert? A lot of websites went down this way. And they served static content. Shortening that windows is just asking for trouble.