Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Clarification about Ballot 193 and validity of a certificate issued on March 1st
869 views
Skip to first unread message
Simone Carletti
Apr 19, 2018, 10:10:47 PM4/19/18
to mozilla-dev-s...@lists.mozilla.org
Hello,
I'm investigating an issue on behalf of a customer. Our customer requested a multi-year certificate that was issued on March 1st by Comodo.
Here's the certificate:
https://crt.sh/?id=354042595
Validity
Not Before: Mar 1 00:00:00 2018 GMT
Not After : May 29 23:59:59 2021 GMT
The certificate is currently considered invalid at least by Google Chrome.
It's my understanding that Google Chrome uses a >= comparison, which effectively means certificates issued on March 1st are already subject to Ballot 193.
However, it looks like the interpretation of Comodo of Ballot 193 here is based on a > comparison, since the certificate was issued with a 3y validity.
BR 6.3.2 says:
> Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
> Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.
I'd appreciate some hints about whether a certificate issued on March 1st should be considered subject to Ballot 193 or not.
Best,
-- Simone
I'm investigating an issue on behalf of a customer. Our customer requested a multi-year certificate that was issued on March 1st by Comodo.
Here's the certificate:
https://crt.sh/?id=354042595
Validity
Not Before: Mar 1 00:00:00 2018 GMT
Not After : May 29 23:59:59 2021 GMT
The certificate is currently considered invalid at least by Google Chrome.
It's my understanding that Google Chrome uses a >= comparison, which effectively means certificates issued on March 1st are already subject to Ballot 193.
However, it looks like the interpretation of Comodo of Ballot 193 here is based on a > comparison, since the certificate was issued with a 3y validity.
BR 6.3.2 says:
> Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
> Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.
I'd appreciate some hints about whether a certificate issued on March 1st should be considered subject to Ballot 193 or not.
Best,
-- Simone
Tim Shirley
Apr 20, 2018, 9:31:32 AM4/20/18
to Simone Carletti, mozilla-dev-s...@lists.mozilla.org
First of all, it's important to distinguish between the BR requirement, which is defined in terms of certificate *issuance* dates, and the value in the "Not Before" field. I'm guessing the "Not Before" value in this certificate is not the actual issuance timestamp, since it's unlikely it was issued right at the stroke of midnight. The CA is probably rounding, but we don't know if they're rounding up or down. But it would only be mis-issuance if the issuance occurred outside of the allowed time window. There's nothing I can see to show when the certificate was actually issued; it first showed up in CT logs on March 13, so we know it was issued on or before that, but that's all we know for sure about the issuance time.
So what is the allowed time window according to the BRs? I'd argue that the intent was that it be >=. If you read the first bullet's "after" as >, then you have to also read the second bullet's "prior to" as <. So what rule applies to certificates issued ON March 1, 2018? Apparently none. Certainly that wasn't the intent, which is why I interpret the requirement as >=. That is, the dividing line is the moment in time when we moved from February into March, such that one rule or the other is always in effect.
But even if you accept my premise there, then you have to ask "in what timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So I could see someone making the argument that issuance at that moment in time is fine if the CA is in North America but it's mis-issuance if the CA is in Europe, since the requirements don't state that the measurement is UTC. This is why I'm not a fan of such precise enforcements of date-related compliance. There are a lot of different ways to interpret dates/times, but none of the readings materially change the net effect of the rule. That is, all readings change the max validity period to ~825 days (which itself is subject to debate as to its precise meaning in terms of seconds) within a day or two of each other. So, enforcing the date as Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to confusion like this.
On 4/19/18, 10:10 PM, "dev-security-policy on behalf of Simone Carletti via dev-security-policy" <dev-security-policy-bounces+tshirley=trustw...@lists.mozilla.org on behalf of dev-secur...@lists.mozilla.org> wrote:
Hello,
I'm investigating an issue on behalf of a customer. Our customer requested a multi-year certificate that was issued on March 1st by Comodo.
Here's the certificate:
https://crt.sh?id=354042595
Validity
Not Before: Mar 1 00:00:00 2018 GMT
Not After : May 29 23:59:59 2021 GMT
The certificate is currently considered invalid at least by Google Chrome.
It's my understanding that Google Chrome uses a >= comparison, which effectively means certificates issued on March 1st are already subject to Ballot 193.
However, it looks like the interpretation of Comodo of Ballot 193 here is based on a > comparison, since the certificate was issued with a 3y validity.
BR 6.3.2 says:
> Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
> Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.
I'd appreciate some hints about whether a certificate issued on March 1st should be considered subject to Ballot 193 or not.
Best,
-- Simone
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://scanmail.trustwave.com/?c=4062&d=p8zZ2rF2lZEEgQKoVUUviom_gMvUa93578dYFlK0UQ&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy
So what is the allowed time window according to the BRs? I'd argue that the intent was that it be >=. If you read the first bullet's "after" as >, then you have to also read the second bullet's "prior to" as <. So what rule applies to certificates issued ON March 1, 2018? Apparently none. Certainly that wasn't the intent, which is why I interpret the requirement as >=. That is, the dividing line is the moment in time when we moved from February into March, such that one rule or the other is always in effect.
But even if you accept my premise there, then you have to ask "in what timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So I could see someone making the argument that issuance at that moment in time is fine if the CA is in North America but it's mis-issuance if the CA is in Europe, since the requirements don't state that the measurement is UTC. This is why I'm not a fan of such precise enforcements of date-related compliance. There are a lot of different ways to interpret dates/times, but none of the readings materially change the net effect of the rule. That is, all readings change the max validity period to ~825 days (which itself is subject to debate as to its precise meaning in terms of seconds) within a day or two of each other. So, enforcing the date as Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to confusion like this.
On 4/19/18, 10:10 PM, "dev-security-policy on behalf of Simone Carletti via dev-security-policy" <dev-security-policy-bounces+tshirley=trustw...@lists.mozilla.org on behalf of dev-secur...@lists.mozilla.org> wrote:
Hello,
I'm investigating an issue on behalf of a customer. Our customer requested a multi-year certificate that was issued on March 1st by Comodo.
Here's the certificate:
Validity
Not Before: Mar 1 00:00:00 2018 GMT
Not After : May 29 23:59:59 2021 GMT
The certificate is currently considered invalid at least by Google Chrome.
It's my understanding that Google Chrome uses a >= comparison, which effectively means certificates issued on March 1st are already subject to Ballot 193.
However, it looks like the interpretation of Comodo of Ballot 193 here is based on a > comparison, since the certificate was issued with a 3y validity.
BR 6.3.2 says:
> Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.
> Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.
I'd appreciate some hints about whether a certificate issued on March 1st should be considered subject to Ballot 193 or not.
Best,
-- Simone
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://scanmail.trustwave.com/?c=4062&d=p8zZ2rF2lZEEgQKoVUUviom_gMvUa93578dYFlK0UQ&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy
Rob Stradling
Apr 20, 2018, 11:43:28 AM4/20/18
to Tim Shirley, Simone Carletti, mozilla-dev-s...@lists.mozilla.org
On 20/04/18 14:30, Tim Shirley via dev-security-policy wrote:
> First of all, it's important to distinguish between the BR requirement, which is defined in terms of certificate *issuance* dates, and the value in the "Not Before" field. I'm guessing the "Not Before" value in this certificate is not the actual issuance timestamp, since it's unlikely it was issued right at the stroke of midnight. The CA is probably rounding, but we don't know if they're rounding up or down. But it would only be mis-issuance if the issuance occurred outside of the allowed time window. There's nothing I can see to show when the certificate was actually issued; it first showed up in CT logs on March 13, so we know it was issued on or before that, but that's all we know for sure about the issuance time.
>
> So what is the allowed time window according to the BRs? I'd argue that the intent was that it be >=. If you read the first bullet's "after" as >, then you have to also read the second bullet's "prior to" as <. So what rule applies to certificates issued ON March 1, 2018? Apparently none. Certainly that wasn't the intent, which is why I interpret the requirement as >=.
Indeed, I'm sure that wasn't the intent. However, if the BRs don't say
> First of all, it's important to distinguish between the BR requirement, which is defined in terms of certificate *issuance* dates, and the value in the "Not Before" field. I'm guessing the "Not Before" value in this certificate is not the actual issuance timestamp, since it's unlikely it was issued right at the stroke of midnight. The CA is probably rounding, but we don't know if they're rounding up or down. But it would only be mis-issuance if the issuance occurred outside of the allowed time window. There's nothing I can see to show when the certificate was actually issued; it first showed up in CT logs on March 13, so we know it was issued on or before that, but that's all we know for sure about the issuance time.
>
> So what is the allowed time window according to the BRs? I'd argue that the intent was that it be >=. If you read the first bullet's "after" as >, then you have to also read the second bullet's "prior to" as <. So what rule applies to certificates issued ON March 1, 2018? Apparently none. Certainly that wasn't the intent, which is why I interpret the requirement as >=.
what the BRs intend to say, then the fault is with the BRs rather than
with the CA that adheres to what the BRs actually say. What the BRs
actually say is what matters, because that's what auditors will audit
against.
"after" is not the same thing as "on or after". "on or after" is used
elsewhere in the document to me >=, so TBH I think that reading "after"
as > is the only correct interpretation.
BTW, over in linting-land, we've already had this same discussion...
https://github.com/awslabs/certlint/pull/58
https://github.com/zmap/zlint/pull/195
>
--
Rob Stradling
Senior Research & Development Scientist
Email: R...@ComodoCA.com
Bradford, UK
Office: +441274730505
ComodoCA.com
This message and any files associated with it may contain legally
privileged, confidential, or proprietary information. If you are not the
intended recipient, you are not permitted to use, copy, or forward it,
in whole or in part without the express consent of the sender. Please
notify the sender by reply email, disregard the foregoing messages, and
delete it immediately.
sle...@google.com
Apr 20, 2018, 12:31:19 PM4/20/18
to mozilla-dev-s...@lists.mozilla.org
On Friday, April 20, 2018 at 9:31:32 AM UTC-4, Tim Shirley wrote:
> First of all, it's important to distinguish between the BR requirement, which is defined in terms of certificate *issuance* dates, and the value in the "Not Before" field. I'm guessing the "Not Before" value in this certificate is not the actual issuance timestamp, since it's unlikely it was issued right at the stroke of midnight. The CA is probably rounding, but we don't know if they're rounding up or down. But it would only be mis-issuance if the issuance occurred outside of the allowed time window. There's nothing I can see to show when the certificate was actually issued; it first showed up in CT logs on March 13, so we know it was issued on or before that, but that's all we know for sure about the issuance time.
>
> So what is the allowed time window according to the BRs? I'd argue that the intent was that it be >=. If you read the first bullet's "after" as >, then you have to also read the second bullet's "prior to" as <. So what rule applies to certificates issued ON March 1, 2018? Apparently none. Certainly that wasn't the intent, which is why I interpret the requirement as >=. That is, the dividing line is the moment in time when we moved from February into March, such that one rule or the other is always in effect.
I agree, it was not the intent, nor is it consistent with the other modifications in 193 ( https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/ ).
> First of all, it's important to distinguish between the BR requirement, which is defined in terms of certificate *issuance* dates, and the value in the "Not Before" field. I'm guessing the "Not Before" value in this certificate is not the actual issuance timestamp, since it's unlikely it was issued right at the stroke of midnight. The CA is probably rounding, but we don't know if they're rounding up or down. But it would only be mis-issuance if the issuance occurred outside of the allowed time window. There's nothing I can see to show when the certificate was actually issued; it first showed up in CT logs on March 13, so we know it was issued on or before that, but that's all we know for sure about the issuance time.
>
> So what is the allowed time window according to the BRs? I'd argue that the intent was that it be >=. If you read the first bullet's "after" as >, then you have to also read the second bullet's "prior to" as <. So what rule applies to certificates issued ON March 1, 2018? Apparently none. Certainly that wasn't the intent, which is why I interpret the requirement as >=. That is, the dividing line is the moment in time when we moved from February into March, such that one rule or the other is always in effect.
> But even if you accept my premise there, then you have to ask "in what timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So I could see someone making the argument that issuance at that moment in time is fine if the CA is in North America but it's mis-issuance if the CA is in Europe, since the requirements don't state that the measurement is UTC. This is why I'm not a fan of such precise enforcements of date-related compliance. There are a lot of different ways to interpret dates/times, but none of the readings materially change the net effect of the rule. That is, all readings change the max validity period to ~825 days (which itself is subject to debate as to its precise meaning in terms of seconds) within a day or two of each other. So, enforcing the date as Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to confusion like this.
>From the client side, we continue to take the most restrictive interpretation that is reasonable, and thus in Chrome, any certificate whose notBefore is >= 2018-03-01 00:00:00 UTC and whose difference (in days measured as 60*60*24 seconds) is greater than 825 days from the notAfter is rejected.
Matt Palmer
Apr 21, 2018, 12:52:41 AM4/21/18
to dev-secur...@lists.mozilla.org
On Fri, Apr 20, 2018 at 01:30:49PM +0000, Tim Shirley via dev-security-policy wrote:
> This is why I'm not a fan of such precise enforcements of date-related
> compliance. There are a lot of different ways to interpret dates/times,
> but none of the readings materially change the net effect of the rule.
> That is, all readings change the max validity period to ~825 days (which
> itself is subject to debate as to its precise meaning in terms of seconds)
> within a day or two of each other. So, enforcing the date as Mar 1 as
> opposed to Mar 2 doesn't seem to add a lot of value and leads to confusion
> like this.
Same thing goes the other way, though -- CAs trying to skate too close to
> This is why I'm not a fan of such precise enforcements of date-related
> compliance. There are a lot of different ways to interpret dates/times,
> but none of the readings materially change the net effect of the rule.
> That is, all readings change the max validity period to ~825 days (which
> itself is subject to debate as to its precise meaning in terms of seconds)
> within a day or two of each other. So, enforcing the date as Mar 1 as
> opposed to Mar 2 doesn't seem to add a lot of value and leads to confusion
> like this.
the line to extract maximum "value" out of the old rules also doesn't add a
lot of value, and leads to confusion like this. If the CA had decided to
not issue certificates over 825 days after, say, Feb 25, there wouldn't have
been any confusion either. Exact same reasoning applies to bumping up
against the ambiguity of the 825 day limit -- if a CA wants to avoid any
possibility of confusion, they can just be conservative in what they send,
and not issue certificates over, say, 820 days in length.
Live life on the edge, and you're going to fall off now and then.
- Matt
Eric Mill
Apr 22, 2018, 4:06:05 PM4/22/18
to Tim Shirley, mozilla-dev-s...@lists.mozilla.org, Simone Carletti
On Fri, Apr 20, 2018 at 9:30 AM, Tim Shirley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> First of all, it's important to distinguish between the BR r
dev-secur...@lists.mozilla.org> wrote:
> First of all, it's important to distinguish between the BR r
> But even if you accept my premise there, then you have to ask "in what
> timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So
> I could see someone making the argument that issuance at that moment in
> time is fine if the CA is in North America but it's mis-issuance if the CA
> is in Europe, since the requirements don't state that the measurement is
> UTC. This is why I'm not a fan of such precise enforcements of
> timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So
> I could see someone making the argument that issuance at that moment in
> time is fine if the CA is in North America but it's mis-issuance if the CA
> is in Europe, since the requirements don't state that the measurement is
> date-related compliance. There are a lot of different ways to interpret
> dates/times, but none of the readings materially change the net effect of
> the rule. That is, all readings change the max validity period to ~825
> days (which itself is subject to debate as to its precise meaning in terms
> of seconds) within a day or two of each other. So, enforcing the date as
> Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to
> confusion like this.
>
I'm just going to double down on Matt's comment that the problem here
> dates/times, but none of the readings materially change the net effect of
> the rule. That is, all readings change the max validity period to ~825
> days (which itself is subject to debate as to its precise meaning in terms
> of seconds) within a day or two of each other. So, enforcing the date as
> Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to
> confusion like this.
>
doesn't seem to be in strictness of enforcement, but rather CAs leaving
themselves no buffer zone. Whatever business advantage there is of giving
customers that one last day to get 3-year certs, seems likely not as
valuable as the certainty of avoiding giving those customers errors when
the certs are used in major browsers.
-- Eric
>
> On 4/19/18, 10:10 PM, "dev-security-policy on behalf of Simone Carletti
> via dev-security-policy" <dev-security-policy-bounces+tshirley=
Rob Stradling
Apr 22, 2018, 5:02:23 PM4/22/18
to Eric Mill, mozilla-dev-s...@lists.mozilla.org, Tim Shirley, Simone Carletti
On 22/04/18 21:04, Eric Mill via dev-security-policy wrote:
> On Fri, Apr 20, 2018 at 9:30 AM, Tim Shirley via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>> First of all, it's important to distinguish between the BR r
>> But even if you accept my premise there, then you have to ask "in what
>> timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So
>> I could see someone making the argument that issuance at that moment in
>> time is fine if the CA is in North America but it's mis-issuance if the CA
>> is in Europe, since the requirements don't state that the measurement is
>> UTC. This is why I'm not a fan of such precise enforcements of
>> date-related compliance. There are a lot of different ways to interpret
>> dates/times, but none of the readings materially change the net effect of
>> the rule. That is, all readings change the max validity period to ~825
>> days (which itself is subject to debate as to its precise meaning in terms
>> of seconds) within a day or two of each other. So, enforcing the date as
>> Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to
>> confusion like this.
>
> I'm just going to double down on Matt's comment that the problem here
> doesn't seem to be in strictness of enforcement, but rather CAs leaving
> themselves no buffer zone.
The problem here, IMHO, is that the BR requirement was poorly written.
> On Fri, Apr 20, 2018 at 9:30 AM, Tim Shirley via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
>> First of all, it's important to distinguish between the BR r
>> But even if you accept my premise there, then you have to ask "in what
>> timezone?" March 1 00:00:00 2018 GMT in North America is February 28. So
>> I could see someone making the argument that issuance at that moment in
>> time is fine if the CA is in North America but it's mis-issuance if the CA
>> is in Europe, since the requirements don't state that the measurement is
>> UTC. This is why I'm not a fan of such precise enforcements of
>> date-related compliance. There are a lot of different ways to interpret
>> dates/times, but none of the readings materially change the net effect of
>> the rule. That is, all readings change the max validity period to ~825
>> days (which itself is subject to debate as to its precise meaning in terms
>> of seconds) within a day or two of each other. So, enforcing the date as
>> Mar 1 as opposed to Mar 2 doesn't seem to add a lot of value and leads to
>> confusion like this.
>
> I'm just going to double down on Matt's comment that the problem here
> doesn't seem to be in strictness of enforcement, but rather CAs leaving
> themselves no buffer zone.
> Whatever business advantage there is of giving
> customers that one last day to get 3-year certs, seems likely not as
> valuable as the certainty of avoiding giving those customers errors when
> the certs are used in major browsers.
CA's code to enforce the "after 1 March 2018" rule, this "certainty" did
no occur to me. I simply read the BR requirement and then implemented
code to enforce it.
Eric Mill
Apr 22, 2018, 5:11:42 PM4/22/18
to Rob Stradling, mozilla-dev-s...@lists.mozilla.org, Tim Shirley, Simone Carletti
good learning opportunity to protect against ambiguously written text by
giving a day's buffer.
Tim's time zone example is another good reason to give that buffer, even if
the BR language made it clear whether it was > or >=. A tangentially
similar comparison would be that in other systems I've built that structure
search results and push notifications around dates, the only safe way to do
it is to assign times as 12:00 UTC, even if that doesn't really accurately
describe the time something happened, so that no matter what time zone
someone is in, they're guaranteed to see it as the same day. It's worth the
imprecision to create consistency.
Simone Carletti
Apr 22, 2018, 9:39:31 PM4/22/18
to Eric Mill, mozilla-dev-s...@lists.mozilla.org, Tim Shirley, Rob Stradling
> Yeah, I completely get how that would happen. I would just think this is
a good learning opportunity to protect against ambiguously written text by
giving a day's buffer.
I absolutely agree Eric, and this is the primary reason I'm sharing this
a good learning opportunity to protect against ambiguously written text by
giving a day's buffer.
issue here.
I am playing the role of a CA and Browser user here, speaking on behalf of
our customer. Our customer is the party that eventually is affected by this
misunderstanding.
We placed a request with Comodo to get this certificate order refunded and
place a new order (as it stands today it's unusable and I assume we can't
reissue it with a 3 years length at this point). I'm confident that we'll
sort this out, but I wanted to bring up this issue to encourage less
ambiguous wording in the future.
-- Simone
0 new messages