On Tue, 3 Mar 2020 13:27:59 -0700 Wayne Thayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I'd like to ask for input from the community: is this a requirement > that we should add to the Mozilla policy at this time (effective > September 1, 2020)? If Mozilla adds this as a policy requirement it should also land enforcement in Firefox that rejects certificates which violate this policy. I tried to investigate whether this currently happens for the 825 day rule in the BRs but failed to satisfy myself either way. I read the SC22 discussion when it happened but I will re-read it all in the light of Apple's recent decision and your question and post again if that results in something I miss here. One thing Mozilla definitely shouldn't replicate is Apple's decision to present this to CA/B in person - resulting in tech news coverage based on hearsay and conjecture - then only follow up days later to the wider population with material that doesn't cover every obvious question a reasonable person would have. A few hours before Clint's post I actually had to explain to someone that their understanding of the issue was probably wrong† - but with nothing official from Apple it was impossible to say so definitively, which means they're left pointlessly confused, presumably not Apple's purpose here. If Mozilla does follow Apple's policy here (which I am minded to think is the wiser course) they should make sure to have materials on hand immediately to clarify exactly what that will mean to both specialists and lay people when that policy is announced. †They had imagined existing two year certificates would suddenly cease to work on iPhones after their first year, which of course would be a nightmare to manage and does not match Clint's confirmation here that notBefore will be used to decide which certificates the policy applies to. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
