In this context, I was wondering: Has there been a discussion yet on Firefox 
enforcing cert lifetime in code not just via policy?

Most everything seems to be in place already due to EV, but DV doesn't have a 
limit atm. [0]

Now in practice, thanks to killing sha1, most of those legacy certs are 
probably distrusted anyway. But then again, backdating is technically possible, 
until full CT can provide protection in ~4 years iiuc, and it's a pretty 
stealthy way for CAs to subvert current guidelines (unless you do it 
WoSign-style I guess...)

Limiting to 60 months could be done right now as a sanity check and shouldn't 
cause any problems, right?

dev-security-policy mailing list

Reply via email to