Closed
Bug 1344593
Opened 7 years ago
Closed 7 years ago
Block certificates with overly long durations / lifetimes / validity
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 908125
People
(Reporter: djcater+bugzilla, Unassigned)
Details
The Baseline Requirements first stated a maximum certificate lifetime of 60 months in version 1.0, effective 2012-07-01. Subsequently, version 1.2.4 stated that the maximum lifetime was reduced to 39 months starting on 2015-04-01, although still up to 60 with detailed justification. Version 1.3.3 removed the exception and required a maximum of 39 months from 2016-02-04. For reference, Google Chrome has implemented a block on the following types of certificates (all chaining up to publicly trusted roots - private CAs are excluded for now): - Those issued after 2012-07-01 and that are valid for longer than 60 months - Those issued after 2015-04-01 and that are valid for longer than 39 months (ignoring the exception period) - Those issued before 2012-07-01 and that are valid for longer than 120 months (pre-BR common practice limit of 10 years) - Those issued before 2012-07-01 and that expire after 2019-07-01 (7 years, I can't find a reference for this choice. Without this part, the previous point would allow certificates expiring up until 2022-06-30) Reference code: https://chromium.googlesource.com/chromium/src/+/master/net/cert/cert_verify_proc.cc#793 (Look for HasTooLongValidity function). "Month" is not well-defined, but Chrome seems to use calendar months, with a leeway of up to 23:59:59 over (e.g. 2017-01-01 00:00:00 through to 2020-04-01 23:59:59 doesn't return an error).
Comment 1•7 years ago
|
||
Thanks for filing the bug. Bug 908125 is already filed for this, so I'll dupe this over.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•