[cabfpub] Deprecating support for long-lived certificates

Rob Stradling rob.stradling at comodo.com
Wed Aug 28 15:05:35 UTC 2013

On 26/08/13 21:56, Kathleen Wilson wrote:
> Rick,
> I believe you are referring to this:
> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
> "As of February 2013, SSL certificate issuance must also be audited
> according to the Baseline Requirements (BRs),  as described above. The
> first BR audit for each CA and subCA may include a reasonable list of
> BRs that the CA (or subCA) is not yet in compliance with. The second BR
> audit (the following year) is expected to confirm that the issues that
> were listed in the previous BR audit have been resolved.
> All other dates are as specified by the CA/Browser Forum."
> The intent was to recognize that there may be some situations in which a
> CA may not be able to comply with particular BRs in time for their first
> BR audit, and to allow a way for the CA to move towards full compliance
> while still being audited according to the BRs this year.
> The "effective dates" remain as stated by the CA/Browser Forum.

Kathleen, the BRs also say:
"The Requirements are not mandatory for Certification Authorities unless 
and until they become adopted and enforced by relying–party Application 
Software Suppliers."

IINM, the first Application Software Supplier to adopt/enforce the BRs 
was Mozilla, and the date you did that was significantly later than the 
"Effective Date".

> In my opinion, an SSL certificate that is issued after the Effective
> Date (July 1, 2012) that has a validity period of more than 60 months
> does not comply with BR #9.4 (regardless of the reason that certificate
> is issued). If a CA is engaging in this practice, then it should be
> called out as an exception in the BR audit statement.

Why would a BR audit cover anything that was "not mandatory for 
Certification Authorities" during the time period covered by the audit?

> Mozilla may decide to programatically enforce any of the BRs. Having an
> exception listed in a BR audit statement does *not* mean that Mozilla
> will continue to allow it in code.
> Kathleen
> On 8/26/13 11:32 AM, Rick Andrews wrote:
>> Gerv,
>> I'd like to understand if this represents a change in Mozilla's policy. Kathleen's previous statements seemed to indicate that the "effective date" for BR compliance was the first time the CA underwent their Web Trust for CAs audit after February 2013. Would this action push the "effective date" back to July 1, 2012?
>> -Rick
>>> -----Original Message-----
>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>> On Behalf Of Gervase Markham
>>> Sent: Thursday, August 22, 2013 2:37 AM
>>> To: CABFPub
>>> Subject: Re: [cabfpub] Deprecating support for long-lived certificates
>>> On 19/08/13 18:27, Ryan Sleevi wrote:
>>>> These checks, which will be landed into the Chromium repository in
>>> the
>>>> beginning of 2014, will reject as invalid any and all certificates
>>>> that have been issued after the Baseline Requirements Effective Date
>>>> of 2012-07-1 and which have a validity period exceeding the specified
>>>> maximum of 60 months.
>>> We have filed a bug to consider taking the same action:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=908125
>>> Gerv
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.

More information about the Public mailing list