On 1/23/2018 2:55 PM, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > > https://crt.sh/?id=311477948&opt=zlint > > CA/B Forum ballot 193 modified the Baseline Requirements to set a maximum > validity period of 825 days for certificates issued after March 1, 2018. > > While the BRs do not appear to have any rules about forward-dating > certificates, Mozilla’s CA Forbidden or Problematic Practices say: > >> Certificates do not contain an issue timestamp, so it is not possible to be >> certain when they were issued. The notBefore date is the start of the >> certificate's validity range, and is set by the CA. It should be a >> reasonable reflection of the date on which the certificate was issued. Minor >> tweaking for technical compatibility reasons is accepted, but backdating >> certificates in order to avoid some deadline or code-enforced restriction is >> not. > > https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date > > This incident makes me think that two changes should be made: > > 1) The Root Store Policy should explicitly ban forward and back-dating the > notBefore date. > 2) Firefox should implement a technical check to enforce the validity period > so that issuance practices like this do not impact users (see > https://bugzilla.mozilla.org/show_bug.cgi?id=908125) > > Jonathan >
I am not sure about prohibiting forward-dating the notBefore date. I can picture a situation where an existing site certificate is going to expire. The site's administration decides to obtain a new certificate from a different certification authority. Because of various administrative processes, the switch to the new site certificate cannot be accomplished quickly (e.g., moving the server); so they establish a notBefore date that is a month in the future. -- David E. Ross <http://www.rossde.com/> President Trump: Please stop using Twitter. We need to hear your voice and see you talking. We need to know when your message is really your own and not your attorney's. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
