Mozilla may follow Google's lead and reject long-lived digital certificates
Starting in early 2014 Google Chrome will block certificates issued after July 1, 2012, with a validity period of more than 60 months
IDG News Service - Mozilla is considering the possibility of rejecting as invalid SSL certificates issued after July 1, 2012, with a validity period of more than 60 months. Google already made the decision to block such certificates in Chrome starting early next year.
"As a result of further analysis of available, publicly discoverable certificates, as well as the vibrant discussion among the CA/B Forum [Certificate Authority/Browser Forum] membership, we have decided to implement further programmatic checks in Google Chrome and the Chromium Browser in order to ensure Baseline Requirements compliance," Ryan Sleevi, a member of the Google Chrome Team said Monday in a message to the CA/B Forum mailing list.
The checks will be added to the development and beta releases of Google Chrome at the beginning of 2014. The changes are expected in the stable release of Chrome during the first quarter of next year, Sleevi said.
The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, sometimes simply referred to as the Baseline Requirements, is a set of guidelines agreed upon by all certificate authorities (CAs) and browser vendors that are members of the CA/B Forum.
Version 1.0 of the Baseline Requirements went into effect on July 1, 2012, and states that "Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months." It also says that certificates to be issued after April 1, 2015, will need to have a validity period no greater than 39 months, but there are some clearly defined exceptions to this requirement.
The shortening of certificate validity period is a proactive measure that would allow for a timely implementation of changes made to the requirements in the future. It would be hard for future requirements, especially those with a security impact, to have a practical effect if older certificates that aren't compliant with them would remain valid for 10 more years.
Google identified 2,038 certificates that were issued after July 1, 2012, and have validity periods longer than 60 months, in violation of the current Baseline Requirements.
"We encourage CAs that have engaged in this unfortunate practice, which appears to be a very limited subset of CAs, to reach out to affected customers and inform them of the upcoming changes," Sleevi said referring to the fact that Chrome will start blocking those certificates in the beginning of 2014.
On Thursday, a discussion was started on the Mozilla bug tracker on whether the company should enforce a similar block in its products.
"Everyone agrees such certs, when newly issued, are incompatible with the Baseline Requirements," said Gervase Markham, who deals with issues of project governance at Mozilla, on the bug tracker. "Some CAs have argued that when reissued, this is not so, but Google does not agree with them. We should consider making the same change."
- The Pivotal Big Data Suite- Reducing the Risks of Big Data The explosion of big data and the rapid evolution of big data tools and technologies is challenging IT to meet the demands of...
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!