[cabfpub] Deprecating support for long-lived certificates
Rob Stradling
rob.stradling at comodo.com
Mon Sep 2 10:48:36 UTC 2013
On 29/08/13 01:23, Kathleen Wilson wrote:
> On 8/28/13 8:05 AM, Rob Stradling wrote:
>> On 26/08/13 21:56, Kathleen Wilson wrote:
>>> Rick,
>>>
>>> I believe you are referring to this:
>>> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
>>> "As of February 2013, SSL certificate issuance must also be audited
>>> according to the Baseline Requirements (BRs), as described above. The
>>> first BR audit for each CA and subCA may include a reasonable list of
>>> BRs that the CA (or subCA) is not yet in compliance with. The second BR
>>> audit (the following year) is expected to confirm that the issues that
>>> were listed in the previous BR audit have been resolved.
>>> All other dates are as specified by the CA/Browser Forum."
>>>
>>> The intent was to recognize that there may be some situations in which a
>>> CA may not be able to comply with particular BRs in time for their first
>>> BR audit, and to allow a way for the CA to move towards full compliance
>>> while still being audited according to the BRs this year.
>>>
>>> The "effective dates" remain as stated by the CA/Browser Forum.
>>
>> Kathleen, the BRs also say:
>> "The Requirements are not mandatory for Certification Authorities
>> unless and until they become adopted and enforced by relying–party
>> Application Software Suppliers."
>>
>> IINM, the first Application Software Supplier to adopt/enforce the BRs
>> was Mozilla, and the date you did that was significantly later than
>> the "Effective Date".
>
> So, based on your reasoning, the "Effective Date" would be January 10,
> 2013?
> https://wiki.mozilla.org/CA:Communications#January_10.2C_2013
> Or February 14, 2013?
> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy
Hi Kathleen.
The BRs "Effective Date" was July 1st 2012, but I've never been sure
what exactly came into effect on that date, given the "not
mandatory...until...adopted and enforced" sentence I quoted previously!
You wrote [1]...
"As of February 2013, SSL certificate issuance must also be audited
according to the Baseline Requirements (BRs), as described above. The
first BR audit for each CA and subCA may include a reasonable list of
BRs that the CA (or subCA) is not yet in compliance with. The second BR
audit (the following year) is expected to confirm that the issues that
were listed in the previous BR audit have been resolved."
However, you also wrote [1]...
"All pre-existing subordinate CA certificates must be updated to
comply with version 2.1 of the Inclusion Policy for new certificate
issuance by May 15, 2014."
But then again, several months before the "Effective Date" you wrote [2]:
"Please...update your operations and documentation as needed to meet
the baseline requirements by the effective date of July 1, 2012."
Does this statement alone count as "...adopted and enforced by
relying-party Application Software Suppliers"? Or not?
TBH, I really don't know what dates are reasonable for requiring BR
audits and/or programatically enforcing the BRs!
[1]
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy
[2] https://wiki.mozilla.org/CA:Communications#February_17.2C_2012
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list