On Sat, Mar 4, 2017 at 4:20 PM, Daniel Cater via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Saturday, 4 March 2017 21:21:41 UTC, Jeremy Rowley wrote: > > Common practice amongst certain cas. There were several cas that have > always opposed cert validity periods longer than three years. This > opposition lead to the reducing the validity period first to 60 months then > to 39 months. > > The reason I brought this up is that I found this certificate in the wild > with a validity of almost 124 months (10 years and 4 months): > https://crt.sh/?id=710954&opt=cablint,x509lint > > I read the cablint warning and wondered if the certificate was in breach > of any pre-BR policies at the time that it was issued, but I assume not. > > Note that the certificate is live and trusted by browsers that haven't yet > blocked SHA-1 certificates: https://newleaderscouncil.org/ Even if SHA-1 was still enabled, Chrome blocked such certificates. Currently Chrome sets the absolute upper max at 10 years if pre-BRs, 5 years if BR effective date, and 3 years after the sunset. My hope for Chrome 59 is to change that to 3 years across the board soon, with further reductions thereafter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy