Following Google's lead, Mozilla considers rejecting long-lived digital certificates
Mozilla is considering the possibility of rejecting as invalid SSL certificates issued after July 1, 2012, with a validity period of more than 60 months. Google already made the decision to block such certificates in Chrome starting early next year.
“As a result of further analysis of available, publicly discoverable certificates, as well as the vibrant discussion among the CA/B Forum [Certificate Authority/Browser Forum] membership, we have decided to implement further programmatic checks in Google Chrome and the Chromium Browser in order to ensure Baseline Requirements compliance,” Ryan Sleevi, a member of the Google Chrome Team said Monday in a message to the CA/B Forum mailing list.
The checks will be added to the development and beta releases of Google Chrome at the beginning of 2014. The changes are expected in the stable release of Chrome during the first quarter of next year, Sleevi said.
The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, sometimes simply referred to as the Baseline Requirements, is a set of guidelines agreed upon by all certificate authorities (CAs) and browser vendors that are members of the CA/B Forum.
Version 1.0 of the Baseline Requirements went into effect on July 1, 2012, and states that “Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months.” It also says that certificates to be issued after April 1, 2015, will need to have a validity period no greater than 39 months, but there are some clearly defined exceptions to this requirement.
The shortening of certificate validity period is a proactive measure that would allow for a timely implementation of changes made to the requirements in the future. It would be hard for future requirements, especially those with a security impact, to have a practical effect if older certificates that aren’t compliant with them would remain valid for 10 more years.
Google identified 2038 certificates that were issued after July 1, 2012, and have validity periods longer than 60 months, in violation of the current Baseline Requirements.
“We encourage CAs that have engaged in this unfortunate practice, which appears to be a very limited subset of CAs, to reach out to affected customers and inform them of the upcoming changes,” Sleevi said referring to the fact that Chrome will start blocking those certificates in the beginning of 2014.
On Thursday, a discussion was started on the Mozilla bug tracker on whether the company should enforce a similar block in its products.
“Everyone agrees such certs, when newly issued, are incompatible with the Baseline Requirements,” said Gervase Markham, who deals with issues of project governance at Mozilla, on the bug tracker. “Some CAs have argued that when reissued, this is not so, but Google does not agree with them. We should consider making the same change.”
Daniel Veditz, the security lead at Mozilla said that he sees why CAs might have a problem with this from a business and legal standpoint. If a CA already sold a “product”—in this case a certificate—in the past with certain terms and would later violate those terms by deciding to reduce the certificate’s validity period, they might be in hot water, he said.
“Although it does seem as if reissuing as a 60-month cert with the promise to reissue with the balance later ought to be satisfactory,” Vediz said.
Markham agreed. “No one is asking CAs to not give customers what they’ve paid for in terms of duration; it will just need to be 2 (or more) separate certs,” he said. “I agree that changing certs once every 5 years rather than every 10 might be a minor inconvenience for customers who use the same web server hardware and software for more than 5 years, but I’m not sure how large a group that is.”
Mozilla’s PR firm in the U.K. could not immediately provide a statement from the company regarding this issue.