Thank you for sharing this Clint. I'd like to ask for input from the community: is this a requirement that we should add to the Mozilla policy at this time (effective September 1, 2020)?
You may recall that a 398-day maximum validity for TLS certificates was proposed to the CA/Browser Forum by Google last year. Mozilla voted in favor, but ballot SC22 failed due to a lack of support from CAs. [1] Many of the arguments for and against this change can be found in the emails sent by CA/Browser Forum members during the discussion [2] and when casting their votes.[3] - Wayne [1] https://cabforum.org/pipermail/servercert-wg/2019-September/001080.html [2] https://cabforum.org/pipermail/servercert-wg/2019-August/ [3] https://cabforum.org/pipermail/servercert-wg/2019-September/ On Tue, Mar 3, 2020 at 12:55 PM Clint Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello all, > > I wanted to inform this community of an upcoming change to the Apple Root > Program. > SSL/TLS certificates issued on or after September 1, 2020 will need to > have a total lifetime of no more than 398 days. This change will be put in > place in a future release of iOS, macOS, iPadOS, watchOS, and tvOS for > default-trusted TLS certificates (i.e. the Roots that come preinstalled on > the above OSes). > > For additional information, please see > https://support.apple.com/en-us/HT211025. > > Thank you! > -Clint > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy