View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001482 | Main CAcert Website | General | public | 2020-06-27 09:30 | 2021-09-01 22:49 |
Reporter | SaT | Assigned To | jandd | ||
Priority | urgent | Severity | block | Reproducibility | N/A |
Status | fix available | Resolution | open | ||
Platform | Default | OS | any | OS Version | any |
Summary | 0001482: Limit validity period of new HTTPS certificates to one year | ||||
Description | According to the German article from Heise (1), most browser manufacturers will not accept HTTPS certificates anymore after September 1, 2020, if they have a validity period longer than one year. This article mentions other sources from Apple (2) and Google (3) regarding this decision. CAcert should respect this constraint when issueing SSL server certificates. It could be hard-coded, or the user may be able to select if the certificate has a validity period of e.g. 6 months, 1 year or 2 years. (1) https://www.heise.de/news/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-1-Jahr-4796599.html (2) https://support.apple.com/en-us/HT211025 (3) https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784 | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
I have read the comments at Heise and come to the following conclusion: 1. we have to reduce the validity period from September 1 to 398 days (or 396 days - one day margin and every four years leap year) 2. if feasible, offer the validity period at the same time - otherwise later if possible - selectable: As SaT says: 6/12 months (for web), but also 2/3/ev.5 years for other applications. See among others the following article at Heise: https://www.heise.de/forum/heise-online/Kommentare/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-ein-Jahr/Als-ob-nur-Webserver-Browser-Zertifikate-verwenden/posting-36927599/show/ (they write about smtp, imap, ftp, ldap, xmpp, stunnel, and others) The selection (e.g. radio button) must clearly state "for all purposes, incl. https" or "not suitable for websites/https" next to the duration. |
|
I just had a look at Apple's page cited above. There the Statement is "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS." Chromium's statement is "Enforce publicly trusted TLS server certificates ...", which is not as specific as Apple's, but could be interpreted the same way... |
|
This is actually a software development issue because it needs changes to at least the signer client that currently determines the validity period of our certificates. |
|
jandd, have you created a Git branch for this yet? |
|
I just created https://github.com/CAcertOrg/cacert-devel/pull/23 for this |
|
Patch from the PR attached 0001-Reduce-the-lifetime-of-certificates-to-366-days.patch (1,089 bytes)
From 2687e7ed7360d1c7e61064cea852daf4f91f6891 Mon Sep 17 00:00:00 2001 From: Jan Dittberner <jandd@cacert.org> Date: Sun, 31 Jan 2021 12:30:02 +0100 Subject: [PATCH] Reduce the lifetime of certificates to 366 days. This commit fixes #1482 by setting the lifetime of certificates to 366 days. Updates to the user documentation and/or CPS might be required and there is no distinction between client and server certificates because the type of certificate is not known at that location of the code. Fixes #1482, Relates to #1494, #775 --- CommModule/client.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CommModule/client.pl b/CommModule/client.pl index 0874477..7a1afbe 100755 --- a/CommModule/client.pl +++ b/CommModule/client.pl @@ -444,7 +444,7 @@ sub calculateDays($) my @sum = $dbh->selectrow_array("select sum(`points`) as `total` from `notary` where `to`='".$_[0]."' and `deleted`=0 group by `to`"); SysLog("Summe: $sum[0]\n") if($debug); - return ($sum[0]>=50)?730:180; + return ($sum[0]>=50)?366:180; } return 180; } -- 2.29.2 |
|
I'm afraid that this change has to be approved in the policy group. The current CPS explicitly states a validity period of 24 months for assured members. The CPS can only be changed by the policy group, and we (as the software development group) are not allowed to install changes contradicting the CPS! |
|
That's an important hint, but I don't think it's an obstacle. If we offer our members 48 months, but optionally also shorter (longer?) terms, it should be possible. ( ) 5 years (not suitable for websites/https) ( ) 2 years (not suitable for websites/https) ( ) 1 year (for all purposes, incl. https) ( ) 6 months (for all purposes, incl. https) |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-06-27 09:30 | SaT | New Issue | |
2020-06-27 09:30 | SaT | Assigned To | => jandd |
2020-06-27 13:11 | L10N | Note Added: 0005894 | |
2020-06-27 14:15 | Ted | Relationship added | related to 0000775 |
2020-06-27 14:22 | Ted | Relationship added | related to 0001464 |
2020-08-07 22:47 | L10N | Relationship added | has duplicate 0001494 |
2020-08-09 09:25 | Ted | Note Added: 0005900 | |
2021-01-01 05:15 | jandd | Note Added: 0005936 | |
2021-01-07 22:45 | bdmc | Note Added: 0005942 | |
2021-01-31 11:34 | jandd | Status | new => fix available |
2021-01-31 11:34 | jandd | Note Added: 0005949 | |
2021-01-31 11:35 | jandd | Note Added: 0005950 | |
2021-01-31 11:35 | jandd | File Added: 0001-Reduce-the-lifetime-of-certificates-to-366-days.patch | |
2021-02-01 21:43 | Ted | Note Added: 0005953 | |
2021-02-04 08:02 | jandd | Project | Infrastructure host => Main CAcert Website |
2021-02-04 08:02 | jandd | Category | general => General |
2021-09-01 22:49 | L10N | Note Added: 0006084 |