subject:"Maximum validity of pre\-BR certificates"

Re: Maximum validity of pre-BR certificates

2017-03-04 Thread Ryan Sleevi via dev-security-policy

On Sat, Mar 4, 2017 at 4:20 PM, Daniel Cater via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On Saturday, 4 March 2017 21:21:41 UTC, Jeremy Rowley  wrote:
> > Common practice amongst certain cas. There were several cas that have
> always opposed cert validity periods longer than three years. This
> opposition lead to the reducing the validity period first to 60 months then
> to 39 months.
>
> The reason I brought this up is that I found this certificate in the wild
> with a validity of almost 124 months (10 years and 4 months):
> https://crt.sh/?id=710954=cablint,x509lint
>
> I read the cablint warning and wondered if the certificate was in breach
> of any pre-BR policies at the time that it was issued, but I assume not.
>
> Note that the certificate is live and trusted by browsers that haven't yet
> blocked SHA-1 certificates: https://newleaderscouncil.org/

Even if SHA-1 was still enabled, Chrome blocked such certificates.

Currently Chrome sets the absolute upper max at 10 years if pre-BRs, 5
years if BR effective date, and 3 years after the sunset. My hope for
Chrome 59 is to change that to 3 years across the board soon, with further
reductions thereafter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Maximum validity of pre-BR certificates

2017-03-04 Thread Daniel Cater via dev-security-policy

On Saturday, 4 March 2017 21:21:41 UTC, Jeremy Rowley  wrote:
> Common practice amongst certain cas. There were several cas that have always 
> opposed cert validity periods longer than three years. This opposition lead 
> to the reducing the validity period first to 60 months then to 39 months.

The reason I brought this up is that I found this certificate in the wild with 
a validity of almost 124 months (10 years and 4 months): 
https://crt.sh/?id=710954=cablint,x509lint

I read the cablint warning and wondered if the certificate was in breach of any 
pre-BR policies at the time that it was issued, but I assume not.

Note that the certificate is live and trusted by browsers that haven't yet 
blocked SHA-1 certificates: https://newleaderscouncil.org/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Maximum validity of pre-BR certificates

2017-03-04 Thread Jeremy Rowley via dev-security-policy

Common practice amongst certain cas. There were several cas that have always 
opposed cert validity periods longer than three years. This opposition lead to 
the reducing the validity period first to 60 months then to 39 months.

> On Mar 4, 2017, at 2:01 PM, Peter Bowen via dev-security-policy 
>  wrote:
> 
> On Sat, Mar 4, 2017 at 12:22 PM, Daniel Cater via dev-security-policy
>  wrote:
>> On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley  wrote:
>>> 1.0 is not the definitive version any more.  As of 2015‐04‐01, Section
>>> 6.3.2 prohibits validity periods longer than 39 months.
>>> 
>> 
>> Thanks for the prompt reply Jeremy. I realise this. My question relates to 
>> what the situation was (be it a guideline, policy, or just common practice) 
>> prior to version 1.0.
>> 
>> The cablint message mentions 120 months and I was wondering where that 
>> number came from.
> 
> Common practice.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Maximum validity of pre-BR certificates

2017-03-04 Thread Peter Bowen via dev-security-policy

On Sat, Mar 4, 2017 at 12:22 PM, Daniel Cater via dev-security-policy
 wrote:
> On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley  wrote:
>> 1.0 is not the definitive version any more.  As of 2015‐04‐01, Section
>> 6.3.2 prohibits validity periods longer than 39 months.
>>
>
> Thanks for the prompt reply Jeremy. I realise this. My question relates to 
> what the situation was (be it a guideline, policy, or just common practice) 
> prior to version 1.0.
>
> The cablint message mentions 120 months and I was wondering where that number 
> came from.

Common practice.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Maximum validity of pre-BR certificates

2017-03-04 Thread Jeremy Rowley via dev-security-policy

Yes - several CAs issued 60 month+ certs prior to 1.0. In fact, 10 year certs 
were not especially uncommon. The validity period available depended largely on 
the CA.

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
 On Behalf Of Daniel Cater via dev-security-policy
Sent: Saturday, March 4, 2017 1:22 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Maximum validity of pre-BR certificates

On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley  wrote:
> 1.0 is not the definitive version any more.  As of 2015‐04‐01, Section
> 6.3.2 prohibits validity periods longer than 39 months.
> 

Thanks for the prompt reply Jeremy. I realise this. My question relates to what 
the situation was (be it a guideline, policy, or just common practice) prior to 
version 1.0.

The cablint message mentions 120 months and I was wondering where that number 
came from.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Maximum validity of pre-BR certificates

2017-03-04 Thread Daniel Cater via dev-security-policy

On Saturday, 4 March 2017 20:14:09 UTC, Jeremy Rowley  wrote:
> 1.0 is not the definitive version any more.  As of 2015‐04‐01, Section
> 6.3.2 prohibits validity periods longer than 39 months.
> 

Thanks for the prompt reply Jeremy. I realise this. My question relates to what 
the situation was (be it a guideline, policy, or just common practice) prior to 
version 1.0.

The cablint message mentions 120 months and I was wondering where that number 
came from.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Maximum validity of pre-BR certificates

2017-03-04 Thread Jeremy Rowley via dev-security-policy

1.0 is not the definitive version any more.  As of 2015‐04‐01, Section
6.3.2 prohibits validity periods longer than 39 months.

-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Daniel Cater via dev-security-policy
Sent: Saturday, March 4, 2017 1:02 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Maximum validity of pre-BR certificates

Hello,

Version 1.0 of the Baseline Requirements stated that:

"Certificates issued after the Effective Date MUST have a Validity Period no
greater than 60 months".

The effective date for this version was 2012-07-01
(https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf).

I noticed that cablint has a warning stating: "W: Pre-BR certificates should
not be more than 120 months in validity"
(https://github.com/awslabs/certlint/blob/68a2c46f5146025910a0e17f2f34351e3b
4b8802/lib/certlint/cablint.rb#L328).

Was this a technical limitation or a policy of some kind? I can't find any
reference for it.

Any insight the guidelines, rules, or common practices relating to maximum
certificate lifetime prior to the Baseline Requirements would be
appreciated.

Thank you.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Maximum validity of pre-BR certificates

2017-03-04 Thread Daniel Cater via dev-security-policy

Hello,

Version 1.0 of the Baseline Requirements stated that:

"Certificates issued after the Effective Date MUST have a Validity Period no 
greater than 60 months".

The effective date for this version was 2012-07-01 
(https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1.pdf).

I noticed that cablint has a warning stating: "W: Pre-BR certificates should 
not be more than 120 months in validity" 
(https://github.com/awslabs/certlint/blob/68a2c46f5146025910a0e17f2f34351e3b4b8802/lib/certlint/cablint.rb#L328).

Was this a technical limitation or a policy of some kind? I can't find any 
reference for it.

Any insight the guidelines, rules, or common practices relating to maximum 
certificate lifetime prior to the Baseline Requirements would be appreciated.

Thank you.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Maximum validity of pre-BR certificates

Re: Maximum validity of pre-BR certificates

Re: Maximum validity of pre-BR certificates

Re: Maximum validity of pre-BR certificates

RE: Maximum validity of pre-BR certificates

Re: Maximum validity of pre-BR certificates

RE: Maximum validity of pre-BR certificates

Maximum validity of pre-BR certificates

8 matches

Site Navigation

Mail list logo

Footer information