On Mon, Apr 9, 2018 at 9:46 AM Daymion Reynolds via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> As an FYI only:
> We did review the one cert cited below for term length. The certificate
> was issued in 2013 before the current max term duration was defined.  This
> cert is grandfathered in and does not require revocation. In May of this
> year it expires.


The certificate [1] has a notBefore date of Apr 19, 2013. Version 1.1.3 of
the BRs [2], effective from Feb 21, 2013, required that new certificates
must not have a validity period greater than 60 months (section 9.4, p 12).
The delta between notAfter and notBefore is greater than 60 months, so it
was not compliant at the time of issuance, unless the notBefore date does
not reflect the date of issuance.


[1] https://crt.sh/?id=370273130&opt=cablint,ocsp
[2] https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_1_3.pdf
dev-security-policy mailing list

Reply via email to