[cabfpub] Deprecating support for long-lived certificates
rob.stradling at comodo.com
Wed Aug 28 15:05:35 UTC 2013
On 26/08/13 21:56, Kathleen Wilson wrote:
> I believe you are referring to this:
> "As of February 2013, SSL certificate issuance must also be audited
> according to the Baseline Requirements (BRs), as described above. The
> first BR audit for each CA and subCA may include a reasonable list of
> BRs that the CA (or subCA) is not yet in compliance with. The second BR
> audit (the following year) is expected to confirm that the issues that
> were listed in the previous BR audit have been resolved.
> All other dates are as specified by the CA/Browser Forum."
> The intent was to recognize that there may be some situations in which a
> CA may not be able to comply with particular BRs in time for their first
> BR audit, and to allow a way for the CA to move towards full compliance
> while still being audited according to the BRs this year.
> The "effective dates" remain as stated by the CA/Browser Forum.
Kathleen, the BRs also say:
"The Requirements are not mandatory for Certification Authorities unless
and until they become adopted and enforced by relying–party Application
IINM, the first Application Software Supplier to adopt/enforce the BRs
was Mozilla, and the date you did that was significantly later than the
> In my opinion, an SSL certificate that is issued after the Effective
> Date (July 1, 2012) that has a validity period of more than 60 months
> does not comply with BR #9.4 (regardless of the reason that certificate
> is issued). If a CA is engaging in this practice, then it should be
> called out as an exception in the BR audit statement.
Why would a BR audit cover anything that was "not mandatory for
Certification Authorities" during the time period covered by the audit?
> Mozilla may decide to programatically enforce any of the BRs. Having an
> exception listed in a BR audit statement does *not* mean that Mozilla
> will continue to allow it in code.
> On 8/26/13 11:32 AM, Rick Andrews wrote:
>> I'd like to understand if this represents a change in Mozilla's policy. Kathleen's previous statements seemed to indicate that the "effective date" for BR compliance was the first time the CA underwent their Web Trust for CAs audit after February 2013. Would this action push the "effective date" back to July 1, 2012?
>>> -----Original Message-----
>>> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org]
>>> On Behalf Of Gervase Markham
>>> Sent: Thursday, August 22, 2013 2:37 AM
>>> To: CABFPub
>>> Subject: Re: [cabfpub] Deprecating support for long-lived certificates
>>> On 19/08/13 18:27, Ryan Sleevi wrote:
>>>> These checks, which will be landed into the Chromium repository in
>>>> beginning of 2014, will reject as invalid any and all certificates
>>>> that have been issued after the Baseline Requirements Effective Date
>>>> of 2012-07-1 and which have a validity period exceeding the specified
>>>> maximum of 60 months.
>>> We have filed a bug to consider taking the same action:
>>> Public mailing list
>>> Public at cabforum.org
> Public mailing list
> Public at cabforum.org
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
COMODO CA Limited, Registered in England No. 04058690
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public