Hi Jonathan, On 23/01/18 22:55, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years).
Thank you for pointing this out. This does seem at first look like an attempted end-run around the 825-day validity period restriction which comes into effect soon. Perhaps GlobalSign would care to comment here? If not, I can file a bug and make a formal request. > 1) The Root Store Policy should explicitly ban forward and back-dating the > notBefore date. I am not opposed to this, but I would want to allow CAs to make representations about when this is necessary so we can see if any exceptions do actually need to be made. But a general rule might be a good idea. > 2) Firefox should implement a technical check to enforce the validity period > so that issuance practices like this do not impact users (see > https://bugzilla.mozilla.org/show_bug.cgi?id=908125) Does Chrome already do this? If so, I might expect this cert, once it becomes valid, not to work in Chrome... Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy