A certificate issued by GlobalSign showed up in CT today with a notBefore date of March 21, 2018 and a notAfter date of April 23, 2021, a validity period of ~1129 days (more than three years).
https://crt.sh/?id=311477948&opt=zlint CA/B Forum ballot 193 modified the Baseline Requirements to set a maximum validity period of 825 days for certificates issued after March 1, 2018. While the BRs do not appear to have any rules about forward-dating certificates, Mozilla’s CA Forbidden or Problematic Practices say: > Certificates do not contain an issue timestamp, so it is not possible to be > certain when they were issued. The notBefore date is the start of the > certificate's validity range, and is set by the CA. It should be a reasonable > reflection of the date on which the certificate was issued. Minor tweaking > for technical compatibility reasons is accepted, but backdating certificates > in order to avoid some deadline or code-enforced restriction is not. https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date This incident makes me think that two changes should be made: 1) The Root Store Policy should explicitly ban forward and back-dating the notBefore date. 2) Firefox should implement a technical check to enforce the validity period so that issuance practices like this do not impact users (see https://bugzilla.mozilla.org/show_bug.cgi?id=908125) Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
