Hi Clint, The content of your email, the blog post and the Apple root policy all say something a little different and may leave some room for interpretation by the CAs. As it stands, things are a bit confused. Here's why:
Your mail is a little light on the details. While you say this is an "upcoming change" to the Root Program you say certificates "will need to have a lifetime of no more than 398 days". The "will need to have" is really weak. If this is a hard requirement then I would say something stronger like: "The Apple Root Program requires (as of Sept 1) CAs to issue certificates with validity period not to exceed a total life time of 398 days under roots in the Apple root program. Any certificates issued under a Root in the Apple root program will be considered a violation of the Apple Root policy" (or something like that). Done, everyone knows exactly what you mean. The article you posted does not mention Apple Root program or policy and it more or less a general statement without any context. "TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC must not have a validity period greater than 398 days." If Connections (presumably from Safari browser or Apple apps) are attempted, then "This might cause network and app failures and prevent websites from loading". There is nothing indicating this is an Apple Root policy requirement or that CAs need to take note, only that if an Apple endpoint encounters one of these non-compliant certificates, the connection may/will fail. Your root policy: Obviously there is nothing here about this new change, and if this is "the" Apple root policy, I'd recommend getting that updated with a clear statement of this requirement and what happens if a certificate is issued with a lifetime outside of this duration. Chrome has a policy that it will not trust certificates that are not compliant with their CT policy, but it's not a Root policy. Is this how Apple views their policy, or is it a Root policy and any non-compliance is considered a mis-issuance by Apple? The various statements lead me back and fourth between those 2 interpretations. I think it's important that this be clearly stated, and I dislike formal root policies being documented only in email threads. How would a new CA know this is a requirement without going through years of archived email on multiple lists? By the way, there is no reporting process outlined in the event that something in your policy is violated. How should violations be reported and tracked? Thanks! Doug -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Clint Wilson via dev-security-policy Sent: Tuesday, March 3, 2020 2:55 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: About upcoming limits on trusted certificates Hello all, I wanted to inform this community of an upcoming change to the Apple Root Program. SSL/TLS certificates issued on or after September 1, 2020 will need to have a total lifetime of no more than 398 days. This change will be put in place in a future release of iOS, macOS, iPadOS, watchOS, and tvOS for default-trusted TLS certificates (i.e. the Roots that come preinstalled on the above OSes). For additional information, please see https://support.apple.com/en-us/HT211025. Thank you! -Clint _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
