Afternoon all! A month ago a new BR rule went into effect, putting a maximum validity period of 825 days on newly issued certificates.
Truthfully, I was expecting tons of CAs to screw up, forget to implement it, or have no technical controls, and there to be tons of miss-issuance. To me delight, the results have been pretty good: https://crt.sh/?zlint=1081&minNotBefore=2018-03-01 the majority of violations have been from the US Government (whose PKI isn't remotely BR compliant, nor trusted by Mozilla). In light of this incredible success, I think it's time to begin a discussion on what the next in this chain is. While obviously actually encoding this in the BRs will be a function of the CABF, as mdsp is the premier public discussion forum for the PKI, I wanted to start here. I propose that our next target should be a max validity period of 18 months (~550 days), starting in ~6 months from now. The value of shorter-lived certificates has been discussed many times, but to rehash: They afford the ecosystem significantly more agility, by allowing us to remove mistakes in shorter periods of time without breaking valid certificates. It also encourages subscribers to adopt more automation, which further helps with agility. Alex _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
