[cabfpub] Deprecating support for long-lived certificates

Ryan Sleevi sleevi at google.com
Mon Aug 19 17:27:21 UTC 2013

This message is a follow-up to the thread originally started three
weeks ago at https://cabforum.org/pipermail/public/2013-July/001976.html

As a result of further analysis of available, publicly discoverable
certificates, as well as the vibrant discussion among the CA/B Forum
membership, we have decided to implement further programmatic checks
in Google Chrome and the Chromium Browser in order to ensure Baseline
Requirements compliance.

These checks, which will be landed into the Chromium repository in the
beginning of 2014, will reject as invalid any and all certificates
that have been issued after the Baseline Requirements Effective Date
of 2012-07-1 and which have a validity period exceeding the specified
maximum of 60 months. Per the Chromium release cycle, these changes
can be expected to be seen in a Chrome Stable release within 1Q 2014,
after first appearing Dev and Beta releases.

Our view is that such certificates are non-compliant with the Baseline
Requirements. Chrome and Chromium will no longer be considering such
certificates as valid for the many reasons that have been discussed
previously on this list.

We also believe that such practice is inconsistent with the audit
criteria based upon the Baseline Requirements. For example, the
WebTrust Principles and Criteria for Certification Authorities 2.0,
Section 6.3, provides illustrative control #7 - that "The CA or the RA
verifies that the Certificate Rekey Request meets the requirements
defined in the relevant CP" and illustrative Control #14 "Prior to the
generation and issuance of rekeyed certificates, the CA or RA verifies
the following: ... that the request meets the requirements defined in
the CP."

As such, we would like to encourage the auditor community to pay
attention to such practices when evaluating Certificate Policies and
Certification Practice Statements.

Our choice of the beginning of 2014 was chosen as a balance of
ensuring the Baseline Requirements remain an effective goal for the
industry and a recognition of the roughly 2038 certificates that have
been issued since the effective date that do not conform to the BRs in
this regard. We encourage CAs that have engaged in this unfortunate
practice, which appears to be a very limited subset of CAs, to reach
out to affected customers and inform them of the upcoming changes.

Kind regards,
Ryan Sleevi, on behalf of the Google Chrome Team

More information about the Public mailing list