View Issue Details

IDProjectCategoryView StatusLast Update
0001482Infrastructure hostgeneralpublic2020-06-27 14:22
ReporterSaT Assigned Tojandd  
PriorityurgentSeverityblockReproducibilityN/A
Status newResolutionopen 
PlatformDefaultOSany 
Summary0001482: Limit validity period of new HTTPS certificates to one year
DescriptionAccording to the German article from Heise (1), most browser manufacturers will not accept HTTPS certificates anymore after September 1, 2020, if they have a validity period longer than one year. This article mentions other sources from Apple (2) and Google (3) regarding this decision.

CAcert should respect this constraint when issueing SSL server certificates. It could be hard-coded, or the user may be able to select if the certificate has a validity period of e.g. 6 months, 1 year or 2 years.

(1) https://www.heise.de/news/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-1-Jahr-4796599.html
(2) https://support.apple.com/en-us/HT211025
(3) https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784
TagsNo tags attached.

Relationships

related to 0000775 needs reviewegal Main CAcert Website A org ceritficate is only valild one year 
related to 0001464 newTed Main CAcert Website Support ACME protocol for issuing certificates 

Activities

L10N

2020-06-27 13:11

reporter   ~0005894

I have read the comments at Heise and come to the following conclusion:
1. we have to reduce the validity period from September 1 to 398 days (or 396 days - one day margin and every four years leap year)
2. if feasible, offer the validity period at the same time - otherwise later if possible - selectable:
As SaT says: 6/12 months (for web), but also 2/3/ev.5 years for other applications.
See among others the following article at Heise:

https://www.heise.de/forum/heise-online/Kommentare/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-ein-Jahr/Als-ob-nur-Webserver-Browser-Zertifikate-verwenden/posting-36927599/show/
(they write about smtp, imap, ftp, ldap, xmpp, stunnel, and others)

The selection (e.g. radio button) must clearly state "for all purposes, incl. https" or "not suitable for websites/https" next to the duration.

Issue History

Date Modified Username Field Change
2020-06-27 09:30 SaT New Issue
2020-06-27 09:30 SaT Assigned To => jandd
2020-06-27 13:11 L10N Note Added: 0005894
2020-06-27 14:15 Ted Relationship added related to 0000775
2020-06-27 14:22 Ted Relationship added related to 0001464