[cabfpub] Deprecating support for long-lived certificates

Kathleen Wilson kwilson at mozilla.com
Mon Aug 26 20:56:19 UTC 2013


I believe you are referring to this:
"As of February 2013, SSL certificate issuance must also be audited 
according to the Baseline Requirements (BRs),  as described above. The 
first BR audit for each CA and subCA may include a reasonable list of 
BRs that the CA (or subCA) is not yet in compliance with. The second BR 
audit (the following year) is expected to confirm that the issues that 
were listed in the previous BR audit have been resolved.
All other dates are as specified by the CA/Browser Forum."

The intent was to recognize that there may be some situations in which a 
CA may not be able to comply with particular BRs in time for their first 
BR audit, and to allow a way for the CA to move towards full compliance 
while still being audited according to the BRs this year.

The "effective dates" remain as stated by the CA/Browser Forum.

In my opinion, an SSL certificate that is issued after the Effective 
Date (July 1, 2012) that has a validity period of more than 60 months 
does not comply with BR #9.4 (regardless of the reason that certificate 
is issued). If a CA is engaging in this practice, then it should be 
called out as an exception in the BR audit statement.

Mozilla may decide to programatically enforce any of the BRs. Having an 
exception listed in a BR audit statement does *not* mean that Mozilla 
will continue to allow it in code.


On 8/26/13 11:32 AM, Rick Andrews wrote:
> Gerv,
> I'd like to understand if this represents a change in Mozilla's policy. Kathleen's previous statements seemed to indicate that the "effective date" for BR compliance was the first time the CA underwent their Web Trust for CAs audit after February 2013. Would this action push the "effective date" back to July 1, 2012?
> -Rick
>> -----Original Message-----
>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>> On Behalf Of Gervase Markham
>> Sent: Thursday, August 22, 2013 2:37 AM
>> To: CABFPub
>> Subject: Re: [cabfpub] Deprecating support for long-lived certificates
>> On 19/08/13 18:27, Ryan Sleevi wrote:
>>> These checks, which will be landed into the Chromium repository in
>> the
>>> beginning of 2014, will reject as invalid any and all certificates
>>> that have been issued after the Baseline Requirements Effective Date
>>> of 2012-07-1 and which have a validity period exceeding the specified
>>> maximum of 60 months.
>> We have filed a bug to consider taking the same action:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=908125
>> Gerv
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list