Re: 398 Cert Life span 1Sep2020

2020-07-13 Thread marc reynolds via dev-security-policy 
Really appreciate advise and inputs Mark , thank you …

Does beg the question will they change the browser checks and how would we know

M

From: Mark Goodwin 
Date: Tuesday, 7 July 2020 at 14:54
To: "marc.rn...@gmail.com" 
Cc: "mozilla-dev-security-pol...@lists.mozilla.org" 

Subject: Re: 398 Cert Life span 1Sep2020

Hi,

I can't answer for any of the vendors but I've read around this a bit; perhaps 
the following will be of some use:

The Apple announcement states that the change affects "only TLS server 
certificates issued from the Root CAs preinstalled with iOS" - therefore, I 
think it's safe to assume locally added roots (from Internal CAs) will be 
unaffected.

The Chromium change also appears to only apply to certs from known roots ( 
https://source.chromium.org/chromium/chromium/src/+/master:net/cert/cert_verify_proc.cc;l=682?q=HasTooLongValidity=chromium
 ) so Chrome, Edge and other Chromium based browsers look to be the same story.

Kind regards,

Mark


On Mon, 6 Jul 2020 at 15:07, marc.rnlds--- via dev-security-policy 
mailto:dev-security-policy@lists.mozilla.org>>
 wrote:
Hi All,

How will internal CA's be affected.


If I issue or have issued 2 years certificates, how will the browsers treat 
these certificates ?


Just after guidance ..

M
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: 398 Cert Life span 1Sep2020

2020-07-07 Thread Mark Goodwin via dev-security-policy 
Hi,

I can't answer for any of the vendors but I've read around this a bit;
perhaps the following will be of some use:

The Apple announcement states that the change affects "only TLS server
certificates issued from the Root CAs preinstalled with iOS" - therefore, I
think it's safe to assume locally added roots (from Internal CAs) will be
unaffected.

The Chromium change also appears to only apply to certs from known roots (
https://source.chromium.org/chromium/chromium/src/+/master:net/cert/cert_verify_proc.cc;l=682?q=HasTooLongValidity=chromium
) so Chrome, Edge and other Chromium based browsers look to be the same
story.

Kind regards,

Mark



On Mon, 6 Jul 2020 at 15:07, marc.rnlds--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Hi All,
>
> How will internal CA's be affected.
>
>
> If I issue or have issued 2 years certificates, how will the browsers
> treat these certificates ?
>
>
> Just after guidance ..
>
> M
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy