Dear Steven, CA certificates can have a validity longer than 398 days. The policy applies to the validity period of TLS server certificates. At the CA level, it will be enforced as a compliance issue in the root store when we accept or remove a root CA in the "publicly trusted" root store. It will also be enforced at the server-certificate level, through the incident-reporting process and treated as a mis-issuance. See https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#24-incidents. However, if a user installs its own CA certificate, then that CA can issue server certificates with validity longer than 398 days. The code will check the TLS server certificate to see if it chains to a publicly trusted root and whether it was issued on or after 1-Sept-2020. If so, then if it does not have a lifetime of less than 398 days, the TLS connection will be blocked and there will be a warning message. See https://bugzilla.mozilla.org/show_bug.cgi?id=908125 Does that answer your question? Thanks, Ben
On Tue, Aug 25, 2020 at 10:42 AM None Of via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, July 14, 2020 at 2:13:30 PM UTC-4, Ben Wilson wrote: > > Hi Christian, > > I think your concern is about how our code will enforce this. Because > our > > policy only applies to roots that are built in, our intent is to have > our > > code apply this restriction only to certificates that chain up to > built-in > > roots. > > Thanks, > > Ben > > On Mon, Jul 13, 2020 at 10:37 PM Christian Felsing via > dev-security-policy < > > dev-secur...@lists.mozilla.org> wrote: > > > > > Am 09.07.2020 um 17:46 schrieb Ben Wilson via dev-security-policy: > > > > > > > > https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/ > > > > > > Hi, > > > > > > blog post should clarify if this is valid for certificates issued by > > > preinstalled root CAs only or also for CAs installed by user. > > > > > > > > > regards > > > Christian > > > _______________________________________________ > > > dev-security-policy mailing list > > > dev-secur...@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > Hello Ben, > > I also would like clarification as to whether this change is an > "administrative change" for Mozilla accepting CAs in the included root > store, or whether it will be a technical change in how Firefox validates CA > certificate validity. > > If users install a CA cert that has a validity longer than 398 days after > 1 Sept 2020, will this cause warning messages to appear? > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
