Re: Find a 5-year certificate

2017-05-11 Thread userwithuid via dev-security-policy
> https://bugzilla.mozilla.org/show_bug.cgi?id=908125 .
> 
> Gerv

Wow, embarrassingly weak google-fu on my part... Sorry and thanks!
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Find a 5-year certificate

2017-05-11 Thread Gervase Markham via dev-security-policy
On 10/05/17 18:12, userwithuid wrote:
> Limiting to 60 months could be done right now as a sanity check and shouldn't 
> cause any problems, right?

https://bugzilla.mozilla.org/show_bug.cgi?id=908125 .

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Find a 5-year certificate

2017-05-10 Thread userwithuid via dev-security-policy
In this context, I was wondering: Has there been a discussion yet on Firefox 
enforcing cert lifetime in code not just via policy?

Most everything seems to be in place already due to EV, but DV doesn't have a 
limit atm. [0]

Now in practice, thanks to killing sha1, most of those legacy certs are 
probably distrusted anyway. But then again, backdating is technically possible, 
until full CT can provide protection in ~4 years iiuc, and it's a pretty 
stealthy way for CAs to subvert current guidelines (unless you do it 
WoSign-style I guess...)

Limiting to 60 months could be done right now as a sanity check and shouldn't 
cause any problems, right?

[0] 
https://github.com/mozilla/gecko-dev/blob/455ab646d315d265b4c0c3f712a69aae40985fcf/security/certverifier/NSSCertDBTrustDomain.cpp#L1112
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Find a 5-year certificate

2017-05-09 Thread Han Yuwei via dev-security-policy
I have found this:
https://crt.sh/?id=6885329

I don't know whether Mozilla had allowed the certificate valid more than 39 
months, so I am here to verify it.

I have searched on Github but found nothing.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy