>Newly minted Root CAs must be valid for a minimum of 8 years, and a maximum
>of 25 years, from the date of submission.
It would be helpful if browsers enforced the upper limits in the same way they
strictly enforce lower limits. I don't know how many root CA certs I've seen
with validity periods of between one and two hundred years (that's not a
typo). In particular, one-century validity periods seem to be popular for we-
don't-want-to-have-to-replace-them CA certs. So once they're entered into the
CA store those all-powerful certs will still be valid long after the CAs have
gone out of business, the private keys have been sold or stolen or lost, and
the crypto they use has been broken.
Peter.
It would be helpful if browsers enforced the upper limits in the same way they
strictly enforce lower limits. I don't know how many root CA certs I've seen
with validity periods of between one and two hundred years (that's not a
typo). In particular, one-century validity periods seem to be popular for we-
don't-want-to-have-to-replace-them CA certs. So once they're entered into the
CA store those all-powerful certs will still be valid long after the CAs have
gone out of business, the private keys have been sold or stolen or lost, and
the crypto they use has been broken.
>Can you say more about this? Are you concerned that people are not getting
>updates to their trust anchors?
These are CAs (or more accurately TAs) added directly to the trust store by
private organisations serving, for example, a particular sector of industry,
they're not audited by anyone. So the TA will be active forever, or at least
for one to two hundred years depending on what the certificate says unless the
browsers actually enforce an upper limit.
Peter.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62514EB282924431AF720D28EEB69%40SY4PR01MB6251.ausprd01.prod.outlook.com.
>Is the belief then that they are added, but then never maintained, and
>therefore browsers should intervene and prevent their addition
No, more that browsers should complain about certs with outrageous, and in
cases where the maximum lifetime is supposed to be 25 years outright invalid,
attributes in the hope of giving the organisations creating and deploying them
pause about what they're doing with their certificates. If browsers are happy
to accept any old rubbish in certs then organisations will keep deploying
certs with any old rubbish in them - it's a sanitary issue more than a
security one.
Peter.