On Wednesday, 9 November 2016 09:59:10 UTC, Gervase Markham wrote: > The current maximum lifetime of a BR cert is 39 months. 17th Feb 2013 is > more than 39 months ago. (Even if it were previously possible to issue > longer certs and some may still be around, those will all be SHA-1, and > so no longer work from January. There may also have been an intro period > for BR compliance, but even with that, we must be pretty much hitting 39 > months now.)
I am not always very clear on how Censys queries work, but I believe this query is a useful starting point (within the limited context of Censys) current_valid_nss: true AND (NOT parsed.extensions.extended_key_usage:1) A couple of examples that look to me as though they might be able to be installed in a web server yet lack the EKU: https://censys.io/certificates/127f386498e3cfd330e40699b92efb68b72bfaa08af68f9a0fe959b1fea3ae9c https://censys.io/certificates/c52d1aa01fbc3e7095d8c6336423590fdad7b003304f6b73ed835e36f8f802b3 > So, it is now possible to change Firefox to mandate the presence of > id-kp-serverAuth for EE server certs from Mozilla-trusted roots? Or is > there some reason I've missed we can't do that? I would be astonished if there were literally no certificates in use on web servers which will get rejected as a result of this change. So the question is how much pain it's worth and whether it helps to wait another year or so. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
