In the wake of a parade of problems with certificate authorities and
attackers using stolen digital certificates, both Google and Mozilla are
poised to enforce new rules in their browsers for how long end-entity
certificates should be trusted.
The changes will begin taking effect at the beginning of 2014, at
least in Google Chrome, and will result in the browser no longer
trusting any certificate that’s more than 60 months old. Mozilla also is
considering a similar move for its Firefox browser. The change is the
result of the adoption of the CA/Browser Forum Baseline Requirements,
a document that lays out a long list of requirements for the operation
of a certificate authority and issuance of certificates. The
requirements specify that CAs should not issue any certificates with a
validity period longer than five years.
In a message Aug. 19 on the CA/B Forum mailing list, a Google
employee said that the company is planning to comply with this rule in
Chrome and Chrome OS beginning in 2014 with Developer and Beta channel
builds, eventually moving to the Stable channel sometime during the
first quarter.
“These checks, which will be landed into the Chromium repository in
the beginning of 2014, will reject as invalid any and all
certificates that have been issued after the Baseline Requirements
Effective Date of 2012-07-1 and which have a validity period exceeding
the specified maximum of 60 months. Per the Chromium release cycle,
these changes can be expected to be seen in a Chrome Stable release
within 1Q 2014, after first appearing Dev and Beta releases,” Ryan
Sleevi of Google said in the message.
“Our view is that such certificates are non-compliant with the
Baseline Requirements. Chrome and Chromium will no longer be considering
such certificates as valid for the many reasons that have been
discussed previously on this list.”
Mozilla developers also have begun the process of making the same change to Firefox, creating an entry in its Bugzilla change system.
Certificate authorities have had a rough go of it for the last couple
of years, beginning with the attacks on Comodo and DigiNotar and
following with the use of stolen digital certificates in a number of
pieces of malware recently. One of the results of the attacks on CAs is
that the browser vendors end up being the ones who have to clean up the
mess, removing trust for compromised certificates and helping to make
sure users aren’t harmed by attackers using the bad certificates. The
new restriction on the validity period of certificates won’t solve those
problems, but it is a move to help limit the practice of continuously
reissuing certificates once they’ve been approved.
Courtesy By Dennis Fisher
