Closed
Bug 1222903
Opened 8 years ago
Closed 8 years ago
Reject EV status for EV EE certs that are valid for longer than 27 months as well
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla45
| Tracking | Status | |
|---|---|---|
| firefox45 | --- | fixed |
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file, 1 obsolete file)
|
7.84 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
Bug 1145679 disallowed any EV EE cert that had a validity period longer than 39 months from having EV status. According to https://cabforum.org/2015/10/07/2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul/#Certificate-Validity-Periods, no change to the EV Guidelines will be made to bump max EV validity periods to 39 months: > Certificate Validity Periods > [...] > •As a result, Kirk will not propose any change in cert validity periods. I also have not seen any indications for bumping the limit in the archives of the CABF public mailing list at https://cabforum.org/pipermail/public/. As such, it seems to be a good time to lower the limit to the 27 months allowed by the EV Guidelines.
|
||
Updated•8 years ago
|
Keywords: dev-doc-needed,
site-compat
|
Assignee | |
Comment 1•8 years ago
|
||
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well.
Attachment #8684937 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 2•8 years ago
|
||
https://reviewboard.mozilla.org/r/24645/#review22217 ::: security/manager/ssl/tests/unit/test_validity/moz.build:8 (Diff revision 1) > - 'ev_ee_39_months-ev_int_60_months-evroot.pem', > + 'ev_ee_28_months-ev_int_60_months-evroot.pem', Oops, these two lines should be swapped.
|
|
Assignee | |
Comment 3•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=d5a2311a0409
Comment on attachment 8684937 [details] MozReview Request: Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well. https://reviewboard.mozilla.org/r/24645/#review22277 This looks good. I had a quick look at how many EV certificates this will downgrade (according to certificate transparency), and while it's non-zero, it's not too many (I've found about 60 so far, but there was a flaw in my script, so I'll re-run it tomorrow and have a more accurate number).
Attachment #8684937 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4) > This looks good. I had a quick look at how many EV certificates this will > downgrade (according to certificate transparency), and while it's non-zero, > it's not too many (I've found about 60 so far, but there was a flaw in my > script, so I'll re-run it tomorrow and have a more accurate number). It's slightly sad that this number isn't 0 when the EV GLs have been clear on this since the beginning, but oh well, at least the number isn't that high.
|
|
Assignee | |
Comment 6•8 years ago
|
||
+ Correctly sort moz.build test_certificates entries
Attachment #8684937 -
Attachment is obsolete: true
Attachment #8687224 -
Flags: review+
|
|
Assignee | |
Comment 7•8 years ago
|
||
Thanks for the review! https://treeherder.mozilla.org/#/jobs?repo=try&revision=2dc18de3fa85
Keywords: checkin-needed
|
||
Comment 9•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/63873a854287
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
|
||
Comment 10•8 years ago
|
||
Posted the site compatibility doc: https://www.fxsitecompat.com/en-US/docs/2015/ev-certs-valid-for-more-than-27-months-will-be-treated-as-dv-certs/
|
||
Comment 11•8 years ago
|
||
Added an entry in: https://developer.mozilla.org/en-US/Firefox/Releases/45#Security
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•