In the wake of a parade of problems with certificate authorities and attackers using stolen digital certificates, both Google and Mozilla are poised to enforce new rules in their browsers for how long end-entity certificates should be trusted.
The changes will begin taking effect at the beginning of 2014, at least in Google Chrome, and will result in the browser no longer trusting any certificate that’s more than 60 months old. Mozilla also is considering a similar move for its Firefox browser. The change is the result of the adoption of the CA/Browser Forum Baseline Requirements, a document that lays out a long list of requirements for the operation of a certificate authority and issuance of certificates. The requirements specify that CAs should not issue any certificates with a validity period longer than five years.
In a message Aug. 19 on the CA/B Forum mailing list, a Google employee said that the company is planning to comply with this rule in Chrome and Chrome OS beginning in 2014 with Developer and Beta channel builds, eventually moving to the Stable channel sometime during the first quarter.
“These checks, which will be landed into the Chromium repository in the beginning of 2014, will reject as invalid any and all certificates that have been issued after the Baseline Requirements Effective Date of 2012-07-1 and which have a validity period exceeding the specified maximum of 60 months. Per the Chromium release cycle, these changes can be expected to be seen in a Chrome Stable release within 1Q 2014, after first appearing Dev and Beta releases,” Ryan Sleevi of Google said in the message.
“Our view is that such certificates are non-compliant with the Baseline Requirements. Chrome and Chromium will no longer be considering such certificates as valid for the many reasons that have been discussed previously on this list.”
Mozilla developers also have begun the process of making the same change to Firefox, creating an entry in its Bugzilla change system.
Certificate authorities have had a rough go of it for the last couple of years, beginning with the attacks on Comodo and DigiNotar and following with the use of stolen digital certificates in a number of pieces of malware recently. One of the results of the attacks on CAs is that the browser vendors end up being the ones who have to clean up the mess, removing trust for compromised certificates and helping to make sure users aren’t harmed by attackers using the bad certificates. The new restriction on the validity period of certificates won’t solve those problems, but it is a move to help limit the practice of continuously reissuing certificates once they’ve been approved.