Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit TLS Certificates to 398 day validity after Aug 31, 2020 #204

Closed
wthayer opened this issue Mar 11, 2020 · 11 comments
Closed

Limit TLS Certificates to 398 day validity after Aug 31, 2020 #204

wthayer opened this issue Mar 11, 2020 · 11 comments

Comments

@wthayer
Copy link
Contributor

@wthayer wthayer commented Mar 11, 2020

As proposed in https://groups.google.com/d/msg/mozilla.dev.security.policy/mz1buYdIy-I/oo9zHBADAQAJ

@WilsonKathleen WilsonKathleen added the 2.7.1 label Mar 17, 2020
@ghost
Copy link

@ghost ghost commented Jun 29, 2020

This is getting ridiculous. Time to fork Mozilla.

@MMeent
Copy link

@MMeent MMeent commented Jun 30, 2020

Just to confirm, @wthayer, will certs with a validity period of > 398 days that were issued before 2020-09-01 stay valid until they expire, similar to Apple's implementation? Or is this a blanket 'ban' on trusting certs with validity periods > 398 days after 2020-09-01?

The title is not clear on 'limit certs issued after' or 'limit certs valid after', and I've seen various news outlets report the latter interpretation.

@BenWilson-Mozilla
Copy link
Collaborator

@BenWilson-Mozilla BenWilson-Mozilla commented Jun 30, 2020

@MMeent The exact details of this proposal are still to be decided based on public discussion before they are incorporated into Mozilla policy. However, the proposal is that certificates issued before the effective date (TBD) would be valid until they expired. In other words, the policy would only apply to certificates issued after a certain date.

@Staja
Copy link

@Staja Staja commented Jul 1, 2020

@BenWilson-Mozilla Will this affect user-added or administrator-added Root CAs?

@BenWilson-Mozilla
Copy link
Collaborator

@BenWilson-Mozilla BenWilson-Mozilla commented Jul 1, 2020

@Staja The intent would be to not affect the duration of leaf certificates from non-built in roots, unless there is some other technical implication of which I am unaware.

@ghost
Copy link

@ghost ghost commented Jul 1, 2020

@defacto64
Copy link

@defacto64 defacto64 commented Aug 26, 2020

Would not it be time to commit the change and publish Mozilla Root Store Policy 2.7.1 ?
September 1, 2020, is just a week away, and v1.7.1 of the BRs already restricts validity to 398 days ...

@sleevi
Copy link
Contributor

@sleevi sleevi commented Aug 26, 2020

@BenWilson-Mozilla
Copy link
Collaborator

@BenWilson-Mozilla BenWilson-Mozilla commented Aug 26, 2020

@BenWilson-Mozilla
Copy link
Collaborator

@BenWilson-Mozilla BenWilson-Mozilla commented Sep 25, 2020

On further review of the Mozilla Root Store Policy and the Baseline Requirements, I do not think the Mozilla Policy needs to be revised for this issue because validity periods are already stated in the Baseline Requirements. I will close this issue soon unless there are any strong concerns.

@BenWilson-Mozilla
Copy link
Collaborator

@BenWilson-Mozilla BenWilson-Mozilla commented Sep 29, 2020

Already addressed in the Baseline Requirements

@WilsonKathleen WilsonKathleen removed the 2.7.1 label Sep 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants