[cabfpub] Browser implementation of cert requirements

Peter Bowen pzb at amzn.com
Fri Mar 2 19:05:22 UTC 2018

I’m working on updating cablint to make sure it has checks that match browser checks.  These will be INFO level items if they don’t align with the BRs, but I think having them is valuable.

I’m hoping that the browsers can confirm a couple of things, so I get it right in cablint:

1) Safari and Chrome both require that the server send CT information for the certificate in order to get EV treatment.  There is no date based selector for this (this rule has been in effect longer than the maximum validity period of an EV cert).

2) Chrome will require that the server send CT information for certificates that have notBefore >= 2018-05-01T00:00:00Z in order to not get an interstitial

3) Chrome will present an interstitial for any certificate with notBefore >= 2018-03-01T00:00:00Z where the delta between notBefore and NotAfter is greater than 71,280,000 seconds (825 days of 24 hours of 60 minutes of 60 seconds).

Are these correct?


More information about the Public mailing list