[cabfpub] BR Rekey Rules

Gervase Markham gerv at mozilla.org
Mon Apr 21 07:06:00 MST 2014


On 18/04/14 16:50, Eddy Nigg wrote:
> Maybe Gerv can clarify this - according to my understanding CAs must
> validate data of certificates every 3 years if the current life-time of
> the certificate is longer than that (because permitted for some time
> according to the BR).

http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/

section 6:

"We require that all CAs whose certificates are distributed with our
software products:
...
verify that all of the information that is included in SSL certificates
remains current and correct at time intervals of thirty-nine months or
less;"

My reading of that is that if it ever comes to pass that a certificate
signed by your CA has not had the information within it revalidated in
the last 39 months, and is still valid, then that's in violation of this
policy item.

This is obviously not a problem if you issue certificates whose lifetime
is 39 months or less and you get fresh information at the time of cert
issuance; but if you issue certificates which last longer, or you issue
certs based on old information, you need to make sure that the
information is revalidated on or before the date it reaches 39 months
old. If this is not done, I would expect the cert to be revoked.

There is no problem with revalidating the info while the cert is still
in use. And if the info remains the same, there is obviously no
requirement to change the cert or otherwise interrupt service.

Kathleen is away at the moment; but any CA who disputes this reading is
welcome to drop Kathleen and I a line.

Gerv


More information about the Public mailing list