On Wed, Feb 24, 2021 at 09:21:04PM +0200, Alexander Bokovoy via FreeIPA-users wrote: > On ke, 24 helmi 2021, Alan Latteri via FreeIPA-users wrote: > > Now that Mozilla and other browsers will not Trust a certificate with a > > validity length longer than a year, FreeIPA should change the default > > length to match. Currently IPA issues 2 year certificates, which make > > all the browsers view them as Un-Trusted. > > Do you have proof that this is really happening for the cases where a > browser trusts IPA CA manually? IPA CAs are not part of the preinstalled > Root CAs bundle anywhere so one have to add them manually. > > According to Apple it only affects server certificates issued by > commercial CAs trusted by the browsers as part of their 'Root CA' > bundles, https://support.apple.com/en-us/HT211025: > > ---------------- > This change will affect only TLS server certificates issued from the > Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. > Additionally, this change will affect only TLS server certificates > issued on or after September 1, 2020; any certificates issued prior to > that date will not be affected by this change. > ---------------- > > Mozilla root certificate program says the same, it only applies to > certificates issued by those CAs who are part of their root CAs program: > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#21-ca-operations > > ---------------- > CAs whose certificates are included in Mozilla's root program MUST: > > ... > 5. verify that all of the information that is included in SSL > certificates remains current and correct at time intervals of 825 days > or less; > ---------------- > > Chrome/Chromium root CA program explicitly states these requirements > don't apply to custom/enterprise CAs: > > https://www.chromium.org/Home/chromium-security/root-ca-policy > > ---------------- > If you’re an enterprise managing trusted CAs for your organization, > including locally installed enterprise CAs, the policies described in > this document do not apply to your CA. No changes are currently planned > for how enterprise administrators manage those CAs within Chrome. CAs > that have been installed by the device owner or administrator into the > operating system trust store are expected to continue to work as they do > today. > > ... > > The sections below describe the Chrome Root Program, and policies and > requirements for CAs to have their certificates included in a default > installation of Chrome, as part of the transition to the Chrome Root > Store. > ---------------- > > The only place that explicitly states 397 days validity period should be > used is CA Browser Forum BR 1.7.3 which added following change on > 2020-09-01: > > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.3.pdf > ------------------------ > 6.3.2 Certificate operational periods and key pair usage periods > > Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT > have a Validity Period greater than 397 days and MUST NOT have a > Validity Period greater than 398 days. Subscriber Certificates issued > after 1 March 2018, but prior to 1 September 2020, MUST NOT have a > Validity Period greater than 825 days. Subscriber Certificates issued > after 1 July 2016 but prior to 1 March 2018 MUST NOT have a Validity > Period greater than 39 months. > > For the purpose of calculations, a day is measured as 86,400 seconds. > Any amount of time greater than this, including fractional seconds > and/or leap seconds, shall represent an additional day. For this reason, > Subscriber Certificates SHOULD NOT be issued for the maximum permissible > time by default, in order to account for such adjustments. > ------------------------ > > However, CA Browser Forum BR is not mandatory for those CAs that aren't > included into Root CA programs: > > ----------------------- > This document describes an integrated set of technologies, protocols, > identity-proofing, lifecycle management, and auditing requirements that > are necessary (but not sufficient) for the issuance and management of > Publicly-Trusted Certificates; Certificates that are trusted by virtue > of the fact that their corresponding Root Certificate is distributed in > widelyavailable application software. The requirements are not mandatory > for Certification Authorities unless and until they become adopted and > enforced by relying-party Application Software Suppliers. > ----------------------- >
I agree with Alexander's comments. Browsers do not apply the BR rules to private / enterprise CAs. Alexander filed a ticket to discuss reducing FreeIPA's default certificate lifetime: https://pagure.io/freeipa/issue/8724. I left some comments there, but tl;dr I am in favour of reducing the default lifetime, but it is not something we need to rush into. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
