[cabfpub] Deprecating support for long-lived certificates

Rick Andrews Rick_Andrews at symantec.com
Tue Aug 27 17:43:16 UTC 2013


Some of my colleagues were concerned with your statement "any and all certificates". Can you please clarify that checks for long-lived certificates will be limited to
  a) end-entity certificates, that
  b) are subject to BRs (SSL and EV Code Signing that chain up to public roots)?


> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
> On Behalf Of Ryan Sleevi
> Sent: Monday, August 19, 2013 10:27 AM
> To: CABFPub
> Subject: [cabfpub] Deprecating support for long-lived certificates
> This message is a follow-up to the thread originally started three
> weeks ago at https://cabforum.org/pipermail/public/2013-
> July/001976.html
> As a result of further analysis of available, publicly discoverable
> certificates, as well as the vibrant discussion among the CA/B Forum
> membership, we have decided to implement further programmatic checks
> in Google Chrome and the Chromium Browser in order to ensure Baseline
> Requirements compliance.
> These checks, which will be landed into the Chromium repository in the
> beginning of 2014, will reject as invalid any and all certificates
> that have been issued after the Baseline Requirements Effective Date
> of 2012-07-1 and which have a validity period exceeding the specified
> maximum of 60 months. Per the Chromium release cycle, these changes
> can be expected to be seen in a Chrome Stable release within 1Q 2014,
> after first appearing Dev and Beta releases.
> Our view is that such certificates are non-compliant with the Baseline
> Requirements. Chrome and Chromium will no longer be considering such
> certificates as valid for the many reasons that have been discussed
> previously on this list.
> We also believe that such practice is inconsistent with the audit
> criteria based upon the Baseline Requirements. For example, the
> WebTrust Principles and Criteria for Certification Authorities 2.0,
> Section 6.3, provides illustrative control #7 - that "The CA or the RA
> verifies that the Certificate Rekey Request meets the requirements
> defined in the relevant CP" and illustrative Control #14 "Prior to the
> generation and issuance of rekeyed certificates, the CA or RA verifies
> the following: ... that the request meets the requirements defined in
> the CP."
> As such, we would like to encourage the auditor community to pay
> attention to such practices when evaluating Certificate Policies and
> Certification Practice Statements.
> Our choice of the beginning of 2014 was chosen as a balance of
> ensuring the Baseline Requirements remain an effective goal for the
> industry and a recognition of the roughly 2038 certificates that have
> been issued since the effective date that do not conform to the BRs in
> this regard. We encourage CAs that have engaged in this unfortunate
> practice, which appears to be a very limited subset of CAs, to reach
> out to affected customers and inform them of the upcoming changes.
> Kind regards,
> Ryan Sleevi, on behalf of the Google Chrome Team
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list