[cabfpub] Apple's announcement on 1 year certs during F2F

Dean Coclin dean.coclin at digicert.com
Mon Apr 6 13:40:19 MST 2020


An inquiry was posted to the questions@ mailer regarding reconciling the
conflict between the two-year (825-day) maximum validity period in the
Baseline Requirements and the recently announced change to Apple's Root
Program limiting certificates to one year (398 days). In particular, this
prompted the question of what root programs consider "misissuance" (which
may carry additional penalties up to and including distrust) versus "we
simply won't trust certificates that don't conform to this", which seemed
like a valuable discussion for the public mailer.

As the person charged with responding to the questions@ list, I drafted a
response and sent it to the private CABF list for edits before sending back
to the questioner. In my response, I stated that a cert issued after 1 Sept
2020 would not be trusted in Apple products and I also essentially said that
Apple would not treat this as a violation which could result in penalties
toward the CA that issued such a cert. I was quickly corrected and pointed
to the minutes from the F2F meeting
(https://cabforum.org/2020/03/20/minutes-for-ca-browser-forum-f2f-meeting-49
-bratislava-19-20-february-2020/#Apple-Root-Program-Update) that in fact it
would be treated as a policy violation, meaning that Apple could impose
certain penalties (up to and including distrust) on any CA that issued a
publicly trusted cert in excess of 398 days after September 1st. 


Apparently, I was not the only one that was unclear on this as other forum
members (who also attended the F2F) chimed in with similar comments.
Unfortunately this discussion happened on the CABF private email list and
reposting is discouraged by our bylaws. Hence this new discussion topic. 

 

Actually I'm not sure there's much to discuss here. I only post this because
there are likely people outside of the Forum that are also unclear on
Apple's mandate. The Support article
(https://support.apple.com/en-us/HT211025) only contains technical details
related to implementation and does not discuss policy considerations. The
Apple ppt at the F2F
(https://cabforum.org/wp-content/uploads/11-Apple-Root-Program-Update.pdf)
is also silent on this topic. 

 

So to sum this up, according to Apple, if a publicly trusted CA issues a TLS
certificate with a validity period greater than 398 days after September 1,
2020, not only will it not be trusted in Apple products (technically
enforced in late 2020) but Apple will treat this as a policy violation and
an incident which may result in a CA's root certificate being distrusted.

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20200406/e9e38f69/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20200406/e9e38f69/attachment-0001.p7s>


More information about the Public mailing list