[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Aug 6 14:22:38 UTC 2013

Eddy, I don’t remember any discussion about revoking pre-Baseline Requirement certs that had validity periods longer than 60 months (or 39 months).

The only discussion I recall related to new validity period rules to apply to NEW certs issued AFTER the effective date of the BRs – which resulted in BR 9.4 below.  And I don’t remember any discussion about limiting re-keying certs that had been issued before the BRs become effective – I don’t think CAs would have agreed to that because it would have put them in breach of contract with their existing customers as to existing certs.

9.4 Validity Period

Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months.

Except as provided for below, Certificates issued after 1 April 2015 MUST have a Validity Period no greater than
39 months.

Beyond 1 April 2015, CAs MAY continue to issue Certificates with a Validity Period greater than 39 months but not greater than 60 months provided that the CA documents that the Certificate is for a system or software that:

(a)    was in use prior to the Effective Date;

(b)    is currently in use by either the Applicant or a substantial number of Relying Parties;
(c)     fails to operate if the Validity Period is shorter than 60 months;
(d)    does not contain known security risks to Relying Parties; and

(e)     is difficult to patch or replace without substantial economic outlay.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Monday, August 05, 2013 3:28 PM
To: public at cabforum.org
Cc: mozilla-dev-security-policy at lists.mozilla.org; Tim Moses
Subject: Re: [cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

On 07/31/2013 07:47 PM, From Wayne Thayer:

This issue naturally goes away as these legacy certificates expire, and it is not a violation of our policies, nor do I believe is it a violation of the BRs.  More importantly, It does not perpetuate any bad practices as some have suggested.

I just leave you guys a few days out of sight (due to vacationing) and all this mess - some 60 plus messages to be read :-)

Anyway, Wayne, I remind you that we discussed this exact issue and I recall that you agreed that any such certificate would be revoked (was it by October 2015?) and no more such certificates will be issued by Godaddy from the time of discussion. We'd have to go back to the discussions, but I assume Tim Moses who lead the discussions and mediated at that time at the forum can confirm it.



Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130806/e9019a80/attachment-0003.html>

More information about the Public mailing list