[cabfpub] SHA-1 changes and certificate lifetimes

Brian Smith bsmith at mozilla.com
Wed Nov 13 10:51:05 UTC 2013

The other major benefit of shorter certificate lifetimes is that
revocation lists (CRLs, CRLSets, etc.) are more manageable the shorter
the certificate lifetimes are.

> So, my proposal (I will draft a formal ballot after we have discussed it
> more) is that we change section 9.4.1 and alter the occurrences of "1st
> April 2015" date to "1st January 2014", and change the "39" to a "36".
> 36 months from 1st January 2014 is 1st January 2017, and this dovetails
> nicely with the date announced by Microsoft when Windows will stop
> recognising SHA-1 certs.

I propose that we require that all newly-issued SHA-1 certificates must have a notAfter date of 2017-01-01 or earlier, and CAs should work with customers to replace all existing SHA-1 certificates with a notAfter date later than 2017-01-01 before 2016-07-01. And, let's agree to enforce this in browsers by a check that rejects any SHA1 cert with notBefore >= 2014-03-01 and notAfter > 2017-01-01, for any built-in CA, to be deployed before 2014-03-01. And, let's agree to review this yearly and adjust accordingly.

This is the only realistic way that the 2017-01-01 cutoff date is going to be met, AFAICT.

Note that I'm not proposing these changes as a substitute for what you are proposing. AFAICT, what you are proposing is more general, and my proposal is complementary to it.


More information about the Public mailing list