Closed
Bug 1222903
Opened 10 years ago
Closed 10 years ago
Reject EV status for EV EE certs that are valid for longer than 27 months as well
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla45
| Tracking | Status | |
|---|---|---|
| firefox45 | --- | fixed |
People
(Reporter: Cykesiopka, Assigned: Cykesiopka)
References
Details
(Keywords: dev-doc-complete, site-compat)
Attachments
(1 file, 1 obsolete file)
|
7.84 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
Bug 1145679 disallowed any EV EE cert that had a validity period longer than 39 months from having EV status.
According to https://cabforum.org/2015/10/07/2015-10-07-face-to-face-meeting-minutes-meeting-36-istanbul/#Certificate-Validity-Periods, no change to the EV Guidelines will be made to bump max EV validity periods to 39 months:
> Certificate Validity Periods
> [...]
> •As a result, Kirk will not propose any change in cert validity periods.
I also have not seen any indications for bumping the limit in the archives of the CABF public mailing list at https://cabforum.org/pipermail/public/.
As such, it seems to be a good time to lower the limit to the 27 months allowed by the EV Guidelines.
|
||
Updated•10 years ago
|
Keywords: dev-doc-needed,
site-compat
|
Assignee | |
Comment 1•10 years ago
|
||
Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well.
Attachment #8684937 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 2•10 years ago
|
||
https://reviewboard.mozilla.org/r/24645/#review22217
::: security/manager/ssl/tests/unit/test_validity/moz.build:8
(Diff revision 1)
> - 'ev_ee_39_months-ev_int_60_months-evroot.pem',
> + 'ev_ee_28_months-ev_int_60_months-evroot.pem',
Oops, these two lines should be swapped.
|
|
Assignee | |
Comment 3•10 years ago
|
||
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8684937 [details]
MozReview Request: Bug 1222903 - Reject EV status for EV EE certs that are valid for longer than 27 months as well.
https://reviewboard.mozilla.org/r/24645/#review22277
This looks good. I had a quick look at how many EV certificates this will downgrade (according to certificate transparency), and while it's non-zero, it's not too many (I've found about 60 so far, but there was a flaw in my script, so I'll re-run it tomorrow and have a more accurate number).
Attachment #8684937 -
Flags: review?(dkeeler) → review+
|
|
Assignee | |
Comment 5•10 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> This looks good. I had a quick look at how many EV certificates this will
> downgrade (according to certificate transparency), and while it's non-zero,
> it's not too many (I've found about 60 so far, but there was a flaw in my
> script, so I'll re-run it tomorrow and have a more accurate number).
It's slightly sad that this number isn't 0 when the EV GLs have been clear on this since the beginning, but oh well, at least the number isn't that high.
|
|
Assignee | |
Comment 6•10 years ago
|
||
+ Correctly sort moz.build test_certificates entries
Attachment #8684937 -
Attachment is obsolete: true
Attachment #8687224 -
Flags: review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
Thanks for the review!
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2dc18de3fa85
Keywords: checkin-needed
Keywords: checkin-needed
|
||
Comment 9•10 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
|
||
Comment 10•10 years ago
|
||
Posted the site compatibility doc: https://www.fxsitecompat.com/en-US/docs/2015/ev-certs-valid-for-more-than-27-months-will-be-treated-as-dv-certs/
|
||
Comment 11•10 years ago
|
||
Added an entry in:
https://developer.mozilla.org/en-US/Firefox/Releases/45#Security
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•