Re: Maximum validity of pre-BR certificates
On Sat, Mar 4, 2017 at 4:20 PM, Daniel Cater via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Saturday, 4 March 2017 21:21:41 UTC, Jeremy Rowley wrote: > > Common practice amongst certain cas. There were several cas that have > always opposed cert validity periods longer than three years. This > opposition lead to the reducing the validity period first to 60 months then > to 39 months. > > The reason I brought this up is that I found this certificate in the wild > with a validity of almost 124 months (10 years and 4 months): > https://crt.sh/?id=710954=cablint,x509lint > > I read the cablint warning and wondered if the certificate was in breach > of any pre-BR policies at the time that it was issued, but I assume not. > > Note that the certificate is live and trusted by browsers that haven't yet > blocked SHA-1 certificates: https://newleaderscouncil.org/ Even if SHA-1 was still enabled, Chrome blocked such certificates. Currently Chrome sets the absolute upper max at 10 years if pre-BRs, 5 years if BR effective date, and 3 years after the sunset. My hope for Chrome 59 is to change that to 3 years across the board soon, with further reductions thereafter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Maximum validity of pre-BR certificates
On Saturday, 4 March 2017 21:21:41 UTC, Jeremy Rowley wrote: > Common practice amongst certain cas. There were several cas that have always > opposed cert validity periods longer than three years. This opposition lead > to the reducing the validity period first to 60 months then to 39 months. The reason I brought this up is that I found this certificate in the wild with a validity of almost 124 months (10 years and 4 months): https://crt.sh/?id=710954=cablint,x509lint I read the cablint warning and wondered if the certificate was in breach of any pre-BR policies at the time that it was issued, but I assume not. Note that the certificate is live and trusted by browsers that haven't yet blocked SHA-1 certificates: https://newleaderscouncil.org/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Maximum validity of pre-BR certificates
Common practice amongst certain cas. There were several cas that have always opposed cert validity periods longer than three years. This opposition lead to the reducing the validity period first to 60 months then to 39 months. > On Mar 4, 2017, at 2:01 PM, Peter Bowen via dev-security-policy >wrote: > > On Sat, Mar 4, 2017 at 12:22 PM, Daniel Cater via dev-security-policy > wrote: >> On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley wrote: >>> 1.0 is not the definitive version any more. As of 2015‐04‐01, Section >>> 6.3.2 prohibits validity periods longer than 39 months. >>> >> >> Thanks for the prompt reply Jeremy. I realise this. My question relates to >> what the situation was (be it a guideline, policy, or just common practice) >> prior to version 1.0. >> >> The cablint message mentions 120 months and I was wondering where that >> number came from. > > Common practice. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Maximum validity of pre-BR certificates
On Sat, Mar 4, 2017 at 12:22 PM, Daniel Cater via dev-security-policywrote: > On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley wrote: >> 1.0 is not the definitive version any more. As of 2015‐04‐01, Section >> 6.3.2 prohibits validity periods longer than 39 months. >> > > Thanks for the prompt reply Jeremy. I realise this. My question relates to > what the situation was (be it a guideline, policy, or just common practice) > prior to version 1.0. > > The cablint message mentions 120 months and I was wondering where that number > came from. Common practice. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Maximum validity of pre-BR certificates
Yes - several CAs issued 60 month+ certs prior to 1.0. In fact, 10 year certs were not especially uncommon. The validity period available depended largely on the CA. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of Daniel Cater via dev-security-policy Sent: Saturday, March 4, 2017 1:22 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Maximum validity of pre-BR certificates On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley wrote: > 1.0 is not the definitive version any more. As of 2015‐04‐01, Section > 6.3.2 prohibits validity periods longer than 39 months. > Thanks for the prompt reply Jeremy. I realise this. My question relates to what the situation was (be it a guideline, policy, or just common practice) prior to version 1.0. The cablint message mentions 120 months and I was wondering where that number came from. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Maximum validity of pre-BR certificates
On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley wrote: > 1.0 is not the definitive version any more. As of 2015‐04‐01, Section > 6.3.2 prohibits validity periods longer than 39 months. > Thanks for the prompt reply Jeremy. I realise this. My question relates to what the situation was (be it a guideline, policy, or just common practice) prior to version 1.0. The cablint message mentions 120 months and I was wondering where that number came from. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Maximum validity of pre-BR certificates
1.0 is not the definitive version any more. As of 2015‐04‐01, Section 6.3.2 prohibits validity periods longer than 39 months. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Daniel Cater via dev-security-policy Sent: Saturday, March 4, 2017 1:02 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Maximum validity of pre-BR certificates Hello, Version 1.0 of the Baseline Requirements stated that: "Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months". The effective date for this version was 2012-07-01 (https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf). I noticed that cablint has a warning stating: "W: Pre-BR certificates should not be more than 120 months in validity" (https://github.com/awslabs/certlint/blob/68a2c46f5146025910a0e17f2f34351e3b 4b8802/lib/certlint/cablint.rb#L328). Was this a technical limitation or a policy of some kind? I can't find any reference for it. Any insight the guidelines, rules, or common practices relating to maximum certificate lifetime prior to the Baseline Requirements would be appreciated. Thank you. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Maximum validity of pre-BR certificates
Hello, Version 1.0 of the Baseline Requirements stated that: "Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months". The effective date for this version was 2012-07-01 (https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf). I noticed that cablint has a warning stating: "W: Pre-BR certificates should not be more than 120 months in validity" (https://github.com/awslabs/certlint/blob/68a2c46f5146025910a0e17f2f34351e3b4b8802/lib/certlint/cablint.rb#L328). Was this a technical limitation or a policy of some kind? I can't find any reference for it. Any insight the guidelines, rules, or common practices relating to maximum certificate lifetime prior to the Baseline Requirements would be appreciated. Thank you. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy