1344593 - Block certificates with overly long durations / lifetimes / validity

Status: RESOLVED DUPLICATE of bug 908125

(Core :: Security: PSM, defect)

Description

[Daniel C]

The Baseline Requirements first stated a maximum certificate lifetime of 60 months in version 1.0, effective 2012-07-01.

Subsequently, version 1.2.4 stated that the maximum lifetime was reduced to 39 months starting on 2015-04-01, although still up to 60 with detailed justification. Version 1.3.3 removed the exception and required a maximum of 39 months from 2016-02-04.

For reference, Google Chrome has implemented a block on the following types of certificates (all chaining up to publicly trusted roots - private CAs are excluded for now):

- Those issued after 2012-07-01 and that are valid for longer than 60 months
- Those issued after 2015-04-01 and that are valid for longer than 39 months (ignoring the exception period)
- Those issued before 2012-07-01 and that are valid for longer than 120 months (pre-BR common practice limit of 10 years)
- Those issued before 2012-07-01 and that expire after 2019-07-01 (7 years, I can't find a reference for this choice. Without this part, the previous point would allow certificates expiring up until 2022-06-30)

Reference code: https://chromium.googlesource.com/chromium/src/+/master/net/cert/cert_verify_proc.cc#793

(Look for HasTooLongValidity function).

"Month" is not well-defined, but Chrome seems to use calendar months, with a leeway of up to 23:59:59 over (e.g. 2017-01-01 00:00:00 through to 2020-04-01 23:59:59 doesn't return an error).

Comment 1

[:Cykesiopka]

Thanks for filing the bug.

Bug 908125 is already filed for this, so I'll dupe this over.