On Wednesday, 24 January 2018 06:55:55 UTC+8, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > > https://crt.sh/?id=311477948&opt=zlint > > CA/B Forum ballot 193 modified the Baseline Requirements to set a maximum > validity period of 825 days for certificates issued after March 1, 2018. > > While the BRs do not appear to have any rules about forward-dating > certificates, Mozilla’s CA Forbidden or Problematic Practices say: > > > Certificates do not contain an issue timestamp, so it is not possible to be > > certain when they were issued. The notBefore date is the start of the > > certificate's validity range, and is set by the CA. It should be a > > reasonable reflection of the date on which the certificate was issued. > > Minor tweaking for technical compatibility reasons is accepted, but > > backdating certificates in order to avoid some deadline or code-enforced > > restriction is not. > > https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date > > This incident makes me think that two changes should be made: > > 1) The Root Store Policy should explicitly ban forward and back-dating the > notBefore date. > 2) Firefox should implement a technical check to enforce the validity period > so that issuance practices like this do not impact users (see > https://bugzilla.mozilla.org/show_bug.cgi?id=908125) > > Jonathan
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy