Is there any rule about validity period of CA (root/intermediate) certificate?

307 views
Skip to first unread message

passerby184

unread,
Oct 9, 2021, 8:46:16 AM10/9/21
to dev-secur...@mozilla.org
I can't find written rule about validity period of CA certificate in CA/B BR or Mozilla policy, so a CA could register a root certificate with notafter date of year 9999(where rfc5280 assigned for no well-defined expiration date) and practically never care about a root certificate being expired. but will this kind of thing actually allowed?
actually this doesn't sound that bad, as root store is hand-picked and if there was a reason to remove a root certificate(no longer trusted/key is now considered weak) it would removed from store by store update, make automatic expiration not needed and can break things

For intermediate CA's validity period is different can of worm, and I personally think having to manage documentation and crt/ocsp literally forever is enough deterrent to no real CA will attempt.

Maria José Prieto

unread,
Oct 11, 2021, 2:46:28 AM10/11/21
to dev-secur...@mozilla.org, tjt...@gmail.com
I Hope this information to help you!

Program Requirements - Microsoft Trusted Root Program

Newly minted Root CAs must be valid for a minimum of 8 years, and a maximum of 25 years, from the date of submission.

Peter Gutmann

unread,
Oct 12, 2021, 12:52:12 AM10/12/21
to Maria José Prieto, dev-secur...@mozilla.org
Maria José Prieto <mpr...@firmaprofesional.com> writes:

>Newly minted Root CAs must be valid for a minimum of 8 years, and a maximum
>of 25 years, from the date of submission.

It would be helpful if browsers enforced the upper limits in the same way they
strictly enforce lower limits. I don't know how many root CA certs I've seen
with validity periods of between one and two hundred years (that's not a
typo). In particular, one-century validity periods seem to be popular for we-
don't-want-to-have-to-replace-them CA certs. So once they're entered into the
CA store those all-powerful certs will still be valid long after the CAs have
gone out of business, the private keys have been sold or stolen or lost, and
the crypto they use has been broken.

Peter.

Seo Suchan

unread,
Oct 12, 2021, 1:03:42 AM10/12/21
to dev-secur...@mozilla.org

21. 10. 12. 13:52에 Peter Gutmann 이(가) 쓴 글:
that kind of things should be handled by removing such roots certs from
browser by sane trust store manager, not waiting a decade for them to be
expire. because they couldn't pay audit if they already bankrupt) or all
the roots with weak key algo will be removed as cleanup like we removed
1024bit rsa key from list. if a root certificate stay in trust store
actively audited until it's expiry, there is no reason to believe it's
more weak then a new root certificate with same key algorithm from same CA.

Martin Thomson

unread,
Oct 12, 2021, 1:28:22 AM10/12/21
to Peter Gutmann, Maria José Prieto, dev-secur...@mozilla.org
On Tue, Oct 12, 2021 at 3:52 PM Peter Gutmann <pgu...@cs.auckland.ac.nz> wrote:
It would be helpful if browsers enforced the upper limits in the same way they
strictly enforce lower limits.  I don't know how many root CA certs I've seen
with validity periods of between one and two hundred years (that's not a
typo).  In particular, one-century validity periods seem to be popular for we-
don't-want-to-have-to-replace-them CA certs.  So once they're entered into the
CA store those all-powerful certs will still be valid long after the CAs have
gone out of business, the private keys have been sold or stolen or lost, and
the crypto they use has been broken.

Hi Peter,

Can you say more about this?  Are you concerned that people are not getting updates to their trust anchors?  My understanding is that - assuming that updates are active - trust anchors are only retained if the CA continues to pass audits and so forth.  (Seo said something similar.)

Put another way, while an end date is a useful construct, does it need to be the date in the certificate?

Maybe the trust store could indicate the date range over which trust remains valid.  That might be the date at which the current audit remains valid (or whatever time the trust assessment might need to be re-assessed).  Updates to the trust store could extend the lifetime of validity without changing the certificate anywhere.

If that is how it worked, what does it matter if the certificate claims to be valid until 2598?

Peter Gutmann

unread,
Oct 12, 2021, 4:55:37 AM10/12/21
to Martin Thomson, dev-secur...@mozilla.org
Martin Thomson <m...@mozilla.com> writes:

>Can you say more about this? Are you concerned that people are not getting
>updates to their trust anchors?

These are CAs (or more accurately TAs) added directly to the trust store by
private organisations serving, for example, a particular sector of industry,
they're not audited by anyone. So the TA will be active forever, or at least
for one to two hundred years depending on what the certificate says unless the
browsers actually enforce an upper limit.

Peter.

Ryan Sleevi

unread,
Oct 12, 2021, 8:22:36 AM10/12/21
to Peter Gutmann, Martin Thomson, dev-secur...@mozilla.org
Is the belief then that they are added, but then never maintained, and therefore browsers should intervene and prevent their addition

How is that different from some industry sector requiring a piece of third-party software that is never updated?

That is, as Martin said, it seems that the concern you’re raising is one of a lack of update/maintenance. The clarification suggests it’s not a lack of browser/OS maintenance, but maintenance by the local user/organization administrator.

However, at that point, what makes 25 years better than 100 years? Both seem unacceptably long? What is the frequency at which an organization should review any roots it has added, if software was going to be prescriptive about local configuration? It would seem to be on the order of months, not years.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62514EB282924431AF720D28EEB69%40SY4PR01MB6251.ausprd01.prod.outlook.com.

Peter Gutmann

unread,
Oct 12, 2021, 8:52:17 PM10/12/21
to ry...@sleevi.com, dev-secur...@mozilla.org
Ryan Sleevi <ry...@sleevi.com> writes:

>Is the belief then that they are added, but then never maintained, and
>therefore browsers should intervene and prevent their addition

No, more that browsers should complain about certs with outrageous, and in
cases where the maximum lifetime is supposed to be 25 years outright invalid,
attributes in the hope of giving the organisations creating and deploying them
pause about what they're doing with their certificates. If browsers are happy
to accept any old rubbish in certs then organisations will keep deploying
certs with any old rubbish in them - it's a sanitary issue more than a
security one.

Peter.

Reply all
Reply to author
Forward
0 new messages