Limit TLS Certificates to 398 day validity after Aug 31, 2020

[wthayer]

As proposed in https://groups.google.com/d/msg/mozilla.dev.security.policy/mz1buYdIy-I/oo9zHBADAQAJ

[ghost]

This is getting ridiculous. Time to fork Mozilla.

[MMeent]

Just to confirm, @wthayer, will certs with a validity period of > 398 days that were issued before 2020-09-01 stay valid until they expire, similar to Apple's implementation? Or is this a blanket 'ban' on trusting certs with validity periods > 398 days after 2020-09-01?

The title is not clear on 'limit certs issued after' or 'limit certs valid after', and I've seen various news outlets report the latter interpretation.

[BenWilson-Mozilla]

@MMeent The exact details of this proposal are still to be decided based on public discussion before they are incorporated into Mozilla policy. However, the proposal is that certificates issued before the effective date (TBD) would be valid until they expired. In other words, the policy would only apply to certificates issued after a certain date.

[Staja]

@BenWilson-Mozilla Will this affect user-added or administrator-added Root CAs?

[BenWilson-Mozilla]

@Staja The intent would be to not affect the duration of leaf certificates from non-built in roots, unless there is some other technical implication of which I am unaware.

[ghost]

What is the intent? Why do this at all at this point?Sent from my Samsung Galaxy smartphone. -------- Original message --------From: Ben Wilson notifications@github.com Date: 7/1/20 12:42 PM (GMT-06:00) To: mozilla/pkipolicy pkipolicy@noreply.github.com Cc: iphorde byron.goodman@gmail.com, Comment comment@noreply.github.com Subject: Re: [mozilla/pkipolicy] Limit TLS Certificates to 398 day validity after Aug 31, 2020 (#204) @Staja The intent would be to not affect the duration of leaf certificates from non-built in roots, unless there is some other technical implication of which I am unaware.

—You are receiving this because you commented.Reply to this email directly, view it on GitHub, or unsubscribe. [ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/mozilla/pkipolicy/issues/204#issuecomment-652556983", "url": "https://github.com/mozilla/pkipolicy/issues/204#issuecomment-652556983", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[defacto64]

Would not it be time to commit the change and publish Mozilla Root Store Policy 2.7.1 ? September 1, 2020, is just a week away, and v1.7.1 of the BRs already restricts validity to 398 days ...

[sleevi]

Is there something here that conflicts with the BRs? Is there a risk of it being read as that?

Otherwise, shouldn’t the fact that it’s in the BRs obviate the need for stated policy to change? The point of SC31 was to reduce the individual policies size by having a common expression in the BRs of things that made sense to all browsers.

[BenWilson-Mozilla]

I'll start work on putting together the formal changes to Mozilla Policy, but those will not be done prior to next week. In any event, version 1.7.1 of the Baseline Requirements has been published here: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.1.pdf.

On Wed, Aug 26, 2020 at 6:58 AM sleevi notifications@github.com wrote:

Is there something here that conflicts with the BRs? Is there a risk of it being read as that?

Otherwise, shouldn’t the fact that it’s in the BRs obviate the need for stated policy to change? The point of SC31 was to reduce the individual policies size by having a common expression in the BRs of things that made sense to all browsers.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla/pkipolicy/issues/204#issuecomment-680862566, or unsubscribe https://github.com/notifications/unsubscribe-auth/APFJ2KSYVPCMYD27NH4O5NDSCUBF7ANCNFSM4LFNGXAQ .

[BenWilson-Mozilla]

On further review of the Mozilla Root Store Policy and the Baseline Requirements, I do not think the Mozilla Policy needs to be revised for this issue because validity periods are already stated in the Baseline Requirements. I will close this issue soon unless there are any strong concerns.

[BenWilson-Mozilla]

Already addressed in the Baseline Requirements