[cabfpub] Deprecating support for long-lived certificates

Mon Sep 2 03:48:36 MST 2013

On 29/08/13 01:23, Kathleen Wilson wrote:
> On 8/28/13 8:05 AM, Rob Stradling wrote:
>> On 26/08/13 21:56, Kathleen Wilson wrote:
>>> Rick,
>>>
>>> I believe you are referring to this:
>>> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
>>> "As of February 2013, SSL certificate issuance must also be audited
>>> according to the Baseline Requirements (BRs),  as described above. The
>>> first BR audit for each CA and subCA may include a reasonable list of
>>> BRs that the CA (or subCA) is not yet in compliance with. The second BR
>>> audit (the following year) is expected to confirm that the issues that
>>> were listed in the previous BR audit have been resolved.
>>> All other dates are as specified by the CA/Browser Forum."
>>>
>>> The intent was to recognize that there may be some situations in which a
>>> CA may not be able to comply with particular BRs in time for their first
>>> BR audit, and to allow a way for the CA to move towards full compliance
>>> while still being audited according to the BRs this year.
>>>
>>> The "effective dates" remain as stated by the CA/Browser Forum.
>>
>> Kathleen, the BRs also say:
>> "The Requirements are not mandatory for Certification Authorities
>> unless and until they become adopted and enforced by relying–party
>> Application Software Suppliers."
>>
>> IINM, the first Application Software Supplier to adopt/enforce the BRs
>> was Mozilla, and the date you did that was significantly later than
>> the "Effective Date".
>
> So, based on your reasoning, the "Effective Date" would be January 10,
> 2013?
> https://wiki.mozilla.org/CA:Communications#January_10.2C_2013
> Or February 14, 2013?
> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy

Hi Kathleen.

The BRs "Effective Date" was July 1st 2012, but I've never been sure 
what exactly came into effect on that date, given the "not 
mandatory...until...adopted and enforced" sentence I quoted previously!

You wrote [1]...
   "As of February 2013, SSL certificate issuance must also be audited 
according to the Baseline Requirements (BRs), as described above. The 
first BR audit for each CA and subCA may include a reasonable list of 
BRs that the CA (or subCA) is not yet in compliance with. The second BR 
audit (the following year) is expected to confirm that the issues that 
were listed in the previous BR audit have been resolved."

However, you also wrote [1]...
   "All pre-existing subordinate CA certificates must be updated to 
comply with version 2.1 of the Inclusion Policy for new certificate 
issuance by May 15, 2014."

But then again, several months before the "Effective Date" you wrote [2]:
   "Please...update your operations and documentation as needed to meet 
the baseline requirements by the effective date of July 1, 2012."
Does this statement alone count as "...adopted and enforced by 
relying-party Application Software Suppliers"?  Or not?

TBH, I really don't know what dates are reasonable for requiring BR 
audits and/or programatically enforcing the BRs!

[1] 
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy 

[2] https://wiki.mozilla.org/CA:Communications#February_17.2C_2012

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online