On Tue, Oct 12, 2021 at 3:52 PM Peter Gutmann <[email protected]> wrote:
> It would be helpful if browsers enforced the upper limits in the same way > they > strictly enforce lower limits. I don't know how many root CA certs I've > seen > with validity periods of between one and two hundred years (that's not a > typo). In particular, one-century validity periods seem to be popular for > we- > don't-want-to-have-to-replace-them CA certs. So once they're entered into > the > CA store those all-powerful certs will still be valid long after the CAs > have > gone out of business, the private keys have been sold or stolen or lost, > and > the crypto they use has been broken. > Hi Peter, Can you say more about this? Are you concerned that people are not getting updates to their trust anchors? My understanding is that - assuming that updates are active - trust anchors are only retained if the CA continues to pass audits and so forth. (Seo said something similar.) Put another way, while an end date is a useful construct, does it need to be the date in the certificate? Maybe the trust store could indicate the date range over which trust remains valid. That might be the date at which the current audit remains valid (or whatever time the trust assessment might need to be re-assessed). Updates to the trust store could extend the lifetime of validity without changing the certificate anywhere. If that is how it worked, what does it matter if the certificate claims to be valid until 2598? -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPLxc%3DVqEC96TcgSs0bpP4ezQq_2LYqKbN-dKirzADfODxCZQQ%40mail.gmail.com.
