Mozilla considers rejecting long-lived digital certificates following similar decision by Google

Starting in early 2014 Google Chrome will block certificates issued after July 1, 2012, with a validity period of more than 60 months

Mozilla is considering the possibility of rejecting as invalid SSL certificates issued after July 1, 2012, with a validity period of more than 60 months. Google already made the decision to block such certificates in Chrome starting early next year.

"As a result of further analysis of available, publicly discoverable certificates, as well as the vibrant discussion among the CA/B Forum [Certificate Authority/Browser Forum] membership, we have decided to implement further programmatic checks in Google Chrome and the Chromium Browser in order to ensure Baseline Requirements compliance," Ryan Sleevi, a member of the Google Chrome Team said Monday in a message to the CA/B Forum mailing list.

The checks will be added to the development and beta releases of Google Chrome at the beginning of 2014. The changes are expected in the stable release of Chrome during the first quarter of next year, Sleevi said.

The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, sometimes simply referred to as the Baseline Requirements, is a set of guidelines agreed upon by all certificate authorities (CAs) and browser vendors that are members of the CA/B Forum.

Version 1.0 of the Baseline Requirements went into effect on July 1, 2012, and states that "Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months." It also says that certificates to be issued after April 1, 2015, will need to have a validity period no greater than 39 months, but there are some clearly defined exceptions to this requirement.

The shortening of certificate validity period is a proactive measure that would allow for a timely implementation of changes made to the requirements in the future. It would be hard for future requirements, especially those with a security impact, to have a practical effect if older certificates that aren't compliant with them would remain valid for 10 more years.

Google identified 2,038 certificates that were issued after July 1, 2012, and have validity periods longer than 60 months, in violation of the current Baseline Requirements.

"We encourage CAs that have engaged in this unfortunate practice, which appears to be a very limited subset of CAs, to reach out to affected customers and inform them of the upcoming changes," Sleevi said referring to the fact that Chrome will start blocking those certificates in the beginning of 2014.

On Thursday, a discussion was started on the Mozilla bug tracker on whether the company should enforce a similar block in its products.

"Everyone agrees such certs, when newly issued, are incompatible with the Baseline Requirements," said Gervase Markham, who deals with issues of project governance at Mozilla, on the bug tracker. "Some CAs have argued that when reissued, this is not so, but Google does not agree with them. We should consider making the same change."

Daniel Veditz, the security lead at Mozilla said that he sees why CAs might have a problem with this from a business and legal standpoint. If a CA already sold a "product" -- in this case a certificate -- in the past with certain terms and would later violate those terms by deciding to reduce the certificate's validity period, they might be in hot water, he said.

"Although it does seem as if reissuing as a 60-month cert with the promise to reissue with the balance later ought to be satisfactory," Vediz said.

Markham agreed. "No one is asking CAs to not give customers what they've paid for in terms of duration; it will just need to be 2 (or more) separate certs," he said. "I agree that changing certs once every 5 years rather than every 10 might be a minor inconvenience for customers who use the same web server hardware and software for more than 5 years, but I'm not sure how large a group that is."

Mozilla's PR firm in the U.K. could not immediately provide a statement from the company regarding this issue.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Googlemozillaonline safetypki

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?