On Tuesday, July 14, 2020 at 2:13:30 PM UTC-4, Ben Wilson wrote:
> Hi Christian, 
> I think your concern is about how our code will enforce this. Because our 
> policy only applies to roots that are built in, our intent is to have our 
> code apply this restriction only to certificates that chain up to built-in 
> roots. 
> Thanks, 
> Ben
> On Mon, Jul 13, 2020 at 10:37 PM Christian Felsing via dev-security-policy < 
> dev-secur...@lists.mozilla.org> wrote: 
> 
> > Am 09.07.2020 um 17:46 schrieb Ben Wilson via dev-security-policy: 
> > > 
> > https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
> >  
> > 
> > Hi, 
> > 
> > blog post should clarify if this is valid for certificates issued by 
> > preinstalled root CAs only or also for CAs installed by user. 
> > 
> > 
> > regards 
> > Christian
> > _______________________________________________ 
> > dev-security-policy mailing list 
> > dev-secur...@lists.mozilla.org 
> > https://lists.mozilla.org/listinfo/dev-security-policy 
> >
Hello Ben,

I also would like clarification as to whether this change is an "administrative 
change" for Mozilla accepting CAs in the included root store, or whether it 
will be a technical change in how Firefox validates CA certificate validity.  

If users install a CA cert that has a validity longer than 398 days after 1 
Sept 2020, will this cause warning messages to appear?
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to