Closed Bug 1222903 Opened 4 years ago Closed 4 years ago

Reject EV status for EV EE certs that are valid for longer than 27 months as well

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla45
Tracking Status
firefox45 --- fixed

People

(Reporter: Cykesiopka, Assigned: Cykesiopka)

References

Details

(Keywords: dev-doc-complete, site-compat)

Attachments

(1 file, 1 obsolete file)

Bug 1145679 disallowed any EV EE cert that had a validity period longer than 39 months from having EV status.

According to https://cabforum.org/2015/10/07/2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul/#Certificate-Validity-Periods, no change to the EV Guidelines will be made to bump max EV validity periods to 39 months:
> Certificate Validity Periods
> [...]
> •As a result, Kirk will not propose any change in cert validity periods.

I also have not seen any indications for bumping the limit in the archives of the CABF public mailing list at https://cabforum.org/pipermail/public/.

As such, it seems to be a good time to lower the limit to the 27 months allowed by the EV Guidelines.
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well.
Attachment #8684937 - Flags: review?(dkeeler)
https://reviewboard.mozilla.org/r/24645/#review22217

::: security/manager/ssl/tests/unit/test_validity/moz.build:8
(Diff revision 1)
> -    'ev_ee_39_months-ev_int_60_months-evroot.pem',
> +    'ev_ee_28_months-ev_int_60_months-evroot.pem',

Oops, these two lines should be swapped.
Comment on attachment 8684937 [details]
MozReview Request: Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well.

https://reviewboard.mozilla.org/r/24645/#review22277

This looks good. I had a quick look at how many EV certificates this will downgrade (according to certificate transparency), and while it's non-zero, it's not too many (I've found about 60 so far, but there was a flaw in my script, so I'll re-run it tomorrow and have a more accurate number).
Attachment #8684937 - Flags: review?(dkeeler) → review+
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> This looks good. I had a quick look at how many EV certificates this will
> downgrade (according to certificate transparency), and while it's non-zero,
> it's not too many (I've found about 60 so far, but there was a flaw in my
> script, so I'll re-run it tomorrow and have a more accurate number).

It's slightly sad that this number isn't 0 when the EV GLs have been clear on this since the beginning, but oh well, at least the number isn't that high.
+ Correctly sort moz.build test_certificates entries
Attachment #8684937 - Attachment is obsolete: true
Attachment #8687224 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/63873a854287
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.