Re: Find a 5-year certificate
> https://bugzilla.mozilla.org/show_bug.cgi?id=908125 . > > Gerv Wow, embarrassingly weak google-fu on my part... Sorry and thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Find a 5-year certificate
On 10/05/17 18:12, userwithuid wrote: > Limiting to 60 months could be done right now as a sanity check and shouldn't > cause any problems, right? https://bugzilla.mozilla.org/show_bug.cgi?id=908125 . Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Find a 5-year certificate
In this context, I was wondering: Has there been a discussion yet on Firefox enforcing cert lifetime in code not just via policy? Most everything seems to be in place already due to EV, but DV doesn't have a limit atm. [0] Now in practice, thanks to killing sha1, most of those legacy certs are probably distrusted anyway. But then again, backdating is technically possible, until full CT can provide protection in ~4 years iiuc, and it's a pretty stealthy way for CAs to subvert current guidelines (unless you do it WoSign-style I guess...) Limiting to 60 months could be done right now as a sanity check and shouldn't cause any problems, right? [0] https://github.com/mozilla/gecko-dev/blob/455ab646d315d265b4c0c3f712a69aae40985fcf/security/certverifier/NSSCertDBTrustDomain.cpp#L1112 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Find a 5-year certificate
On 2017-05-09 17:07, Han Yuwei wrote: I have found this: https://crt.sh/?id=6885329 I don't know whether Mozilla had allowed the certificate valid more than 39 months, so I am here to verify it. The BR only required the 39 months since 1 April 2015, and allowed up to 60 months before that. Since 1 April 2015 longer than 39 months is only allowed in some special cases. Since this is a cert from before 1 April 2015 the 60 months is allowed. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy