On Wed, Mar 4, 2020 at 11:48 AM Nick Lamb <n...@tlrmx.org> wrote: > On Tue, 3 Mar 2020 13:27:59 -0700 > Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > I'd like to ask for input from the community: is this a requirement > > that we should add to the Mozilla policy at this time (effective > > September 1, 2020)? > > If Mozilla adds this as a policy requirement it should also land > enforcement in Firefox that rejects certificates which violate this > policy. I tried to investigate whether this currently happens for the > 825 day rule in the BRs but failed to satisfy myself either way. > > I'm fairly certain that there is no validity period enforcement in Firefox. The request is https://bugzilla.mozilla.org/show_bug.cgi?id=908125 I'm also not in a position to commit Mozilla to technical enforcement if we adopt a policy of 398 days. However, I believe there is still value in the policy alone - violations are easily detected via CT logs, and making them a misissuance under our policy then obligates the CA to file a public incident report.
> I read the SC22 discussion when it happened but I will re-read it all in > the light of Apple's recent decision and your question and post again > if that results in something I miss here. > > > One thing Mozilla definitely shouldn't replicate is Apple's decision to > present this to CA/B in person - resulting in tech news coverage based > on hearsay and conjecture - then only follow up days later to the wider > population with material that doesn't cover every obvious question a > reasonable person would have. A few hours before Clint's post I actually > had to explain to someone that their understanding of the issue was > probably wrong† - but with nothing official from Apple it was > impossible to say so definitively, which means they're left pointlessly > confused, presumably not Apple's purpose here. > > If Mozilla does follow Apple's policy here (which I am minded to think > is the wiser course) they should make sure to have materials on hand > immediately to clarify exactly what that will mean to both specialists > and lay people when that policy is announced. > > As usual, I'll propose the policy language and we'll discuss it on the list. > †They had imagined existing two year certificates would suddenly cease > to work on iPhones after their first year, which of course would be a > nightmare to manage and does not match Clint's confirmation here that > notBefore will be used to decide which certificates the policy applies > to. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy