Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ballot SC22: Reduce Certificate Lifetimes #138

Draft
wants to merge 9 commits into
base: master
from
Next

Ballot SCXX: Improve Certificate Lifetimes

  • Loading branch information...
sleevi committed Jul 26, 2019
commit 2b06f7839daa45f685e37c51d74e255ef4ff9d75
@@ -118,6 +118,7 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o
| 1.6.4 | SC15 | Remove Validation Method Number 9 | 5-Feb-2019 | 16-Mar-2019 |
| 1.6.4 | SC7 | Update IP Address Validation Methods | 8-Feb-2019 | 16-Mar-2019 |
| 1.6.5 | SC16 | Other Subject Attributes | 15-Mar-2019 | 16-Apr-2019 |
| 1.8.0 | SCXX | Improved Certificate Lifetimes | XX-Xxx-2019 | 1-Mar-2020 |

\* Effective Date and Additionally Relevant Compliance Date(s)

@@ -152,6 +153,7 @@ The following Certificate Policy identifiers are reserved for use by CAs as an o
|2019-06-01 | 3.2.2.4.3 | CAs SHALL NOT perform validations using this method after May 31, 2019. Completed validations using this method SHALL continue to be valid for subsequent issuance per the applicable certificate data reuse periods.
|2019-08-01 | 3.2.2.5 | CAs SHALL maintain a record of which IP validation method, including the relevant BR version number, was used to validate every IP Address |
|2019-08-01 | 3.2.2.5.4 | CAs SHALL NOT perform validations using this method after July 31, 2019. Completed validations using this method SHALL NOT be re-used for certificate issuance after July 31, 2019. Any certificate issued prior to August 1, 2019 containing an IP Address that was validated using any method that was permitted under the prior version of this section 3.2.2.5 MAY continue to be used without revalidation until such certificate naturally expires |
| 2020-03-01 | 4.2.1 and 6.3.2 | Certificates issued MUST NOT have a Validity Period greater than 397 days and re-use of validation information limited to 397 days |

## 1.3 PKI Participants
The CA/Browser Forum is a voluntary organization of Certification Authorities and suppliers of Internet browser and other relying-party software applications.
@@ -858,9 +860,11 @@ Applicant information MUST include, but not be limited to, at least one Fully-Qu

Section 6.3.2 limits the validity period of Subscriber Certificates. The CA MAY use the documents and data provided in Section 3.2 to verify certificate information, or may reuse previous validations themselves, provided that:

> (1) Prior to March 1, 2018, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 39 months prior to issuing the Certificate; and
> (1) On or after March 1, 2020, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 397 days prior to issuing the Certificate; and
>
> (2) On or after March 1, 2018, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate.
> (2) On or after March 1, 2018 and prior to March 1, 2020, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 825 days prior to issuing the Certificate; and
>
> (3) Prior to March 1, 2018, the CA obtained the data or document from a source specified under Section 3.2 or completed the validation itself no more than 39 months prior to issuing the Certificate.
In no case may a prior validation be reused if any data or document used in the prior validation was obtained more than the maximum time permitted for reuse of the data or document prior to issuing the Certificate.

@@ -1447,8 +1451,9 @@ The CA SHALL protect its Private Key in a system or device that has been validat
### 6.3.1 Public key archival

### 6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.
Subscriber Certificates issued on or after 1 March 2020 MUST NOT have a Validity Period greater than 397 days.
Subscriber Certificates issued on or after 1 March 2018 but prior to 1 March 2020 MUST NOT have a Validity Period greater than 825 days.
Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST NOT have a Validity Period greater than 39 months.

## 6.4 Activation data

@@ -75,12 +75,14 @@ The CA/Browser Forum is a voluntary open organization of certification authoriti
| 1.6.8 | 217 | Sunset RFC 2527 | 21 Dec 2017 | 9 Mar 2018 |
| 1.6.9 | SC16 | Other Subject Attributes | 15 Mar 2019 | 16 Apr 2019 |
| 1.7.0 | SC17 | Alternative registration numbers for EV certificates | 21 May 2019 | 21 June 2019 |
| 1.8.0 | SCXX | Improved Certificate Lifetimes | XX-Xxx-2019 | 1-Mar-2020 |

### Relevant Dates

| **Compliance** | **Section(s)** | **Summary Description (See Full Text for Details)** |
| --- | --- | --- |
| 2020-01-31 | 9.2.8 | If subject:organizationIdentifier is present, the Subject Organization Identifier Extension MUST be present |
| 2020-03-01 | 6.3.2 | Certificates issued MUST NOT have a Validity Period greater than 397 days |

**Implementers' Note:** Version 1.3 of these EV Guidelines was published on 20 November 2010 and supplemented through May 2012 when version 1.4 was published. ETSI TS 102 042 and ETSI TR 101 564 Technical Report: Guidance on ETSI TS 102 042 for Issuing Extended Validation Certificates for Auditors and CSPs reference version 1.3 of these EV Guidelines, and ETSI Draft EN 319 411-1 references version 1.4. Version 1.4.5 of Webtrust(r) for Certification Authorities – Extended Validation Audit Criteria references version 1.4.5 of these EV Guidelines. As illustrated in the Document History table above, the CA/Browser Forum continues to improve relevant industry guidelines, including this document, the Baseline Requirements, and the Network and Certificate System Security Requirements. We encourage all CAs to conform to each revision on the date specified without awaiting a corresponding update to an applicable audit criterion. In the event of a conflict between an existing audit criterion and a guideline revision, we will communicate with the audit community and attempt to resolve any uncertainty. We will respond to implementation questions directed to questions@cabforum.org. Our coordination with compliance auditors will continue as we develop guideline revision cycles that harmonize with the revision cycles for audit criteria, the compliance auditing periods and cycles of CAs, and the CA/Browser Forum's guideline implementation dates.

@@ -598,7 +600,9 @@ A Certificate issued to a Subscriber MUST contain one or more policy identifier(

## 9.4. Maximum Validity Period For EV Certificate

The validity period for an EV Certificate SHALL NOT exceed 825 days. It is RECOMMENDED that EV Subscriber Certificates have a maximum validity period of twelve months.
The Requirements of Section 6.3.2 of the Baseline Requirements apply equally to EV Certificates.

It is RECOMMENDED that EV Subscriber Certificates issued prior to 1 March 2020 have a maximum Validity Period of twelve months.

## 9.5. Subscriber Public Key

@@ -1322,21 +1326,21 @@ A CA may rely on a previously verified certificate request to issue a replacemen

(1) Except for reissuance of an EV Certificate under Section 11.14.2 and except when permitted otherwise in Section 11.14.1, the age of all data used to support issuance of an EV Certificate (before revalidation is required) SHALL NOT exceed the following limits:

(A) Legal existence and identity – thirteen months;
(A) Legal existence and identity – 397 days;

(B) Assumed name – thirteen months;
(B) Assumed name – 397 days;

(C) Address of Place of Business – thirteen months;
(C) Address of Place of Business – 397 days;

(D) Verified Method of Communication – thirteen months;
(D) Verified Method of Communication – 397 days;

(E) Operational existence – thirteen months;
(E) Operational existence – 397 days;

(F) Domain Name – thirteen months;
(F) Domain Name – 397 days;

(G) Name, Title, Agency, and Authority – thirteen months, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated.
(G) Name, Title, Agency, and Authority – 397 days, unless a contract between the CA and the Applicant specifies a different term, in which case, the term specified in such contract controls. For example, the contract MAY include the perpetual assignment of EV roles until revoked by the Applicant or CA, or until the contract expires or is terminated.

(2) The thirteen-month period set forth above SHALL begin to run on the date the information was collected by the CA.
(2) The 397 day period set forth above SHALL begin to run on the date the information was collected by the CA.

(3) The CA MAY reuse a previously submitted EV Certificate Request, Subscriber Agreement, or Terms of Use, including use of a single EV Certificate Request in support of multiple EV Certificates containing the same Subject to the extent permitted under Sections 11.9 and 11.10.

@@ -1776,7 +1780,7 @@ cabf-applicantSigningNonce OBJECT IDENTIFIER ::= { cabf 42 }
4. Each Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name MUST conform to the requirements of these Guidelines, including the content requirements in Section 7.1 of the Baseline Requirements, except that the CA MAY include a wildcard character in the Subject Alternative Name Extension and Subject Common Name Field as the left-most character in the .onion Domain Name provided inclusion of the wildcard character complies with Section 3.2.2.6 of the Baseline Requirements.
5. CAs MUST NOT issue a Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name with a validity period longer than 15 months.
5. CAs MUST NOT issue a Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name with a Validity Period longer than 15 months.
6. When a Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name, the Domain Name shall not be considered an Internal Name if the Certificate was issued in compliance with this Appendix F.
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.