View Issue Details

IDProjectCategoryView StatusLast Update
0001482Main CAcert WebsiteGeneralpublic2021-09-01 22:49
ReporterSaT Assigned Tojandd  
PriorityurgentSeverityblockReproducibilityN/A
Status fix availableResolutionopen 
PlatformDefaultOSanyOS Versionany
Summary0001482: Limit validity period of new HTTPS certificates to one year
DescriptionAccording to the German article from Heise (1), most browser manufacturers will not accept HTTPS certificates anymore after September 1, 2020, if they have a validity period longer than one year. This article mentions other sources from Apple (2) and Google (3) regarding this decision.

CAcert should respect this constraint when issueing SSL server certificates. It could be hard-coded, or the user may be able to select if the certificate has a validity period of e.g. 6 months, 1 year or 2 years.

(1) https://www.heise.de/news/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-1-Jahr-4796599.html
(2) https://support.apple.com/en-us/HT211025
(3) https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

has duplicate 0001494 closed Shorten certificate lifetime to one year 
related to 0000775 needs reviewegal A org ceritficate is only valild one year 
related to 0001464 newTed Support ACME protocol for issuing certificates 

Activities

L10N

2020-06-27 13:11

reporter   ~0005894

I have read the comments at Heise and come to the following conclusion:
1. we have to reduce the validity period from September 1 to 398 days (or 396 days - one day margin and every four years leap year)
2. if feasible, offer the validity period at the same time - otherwise later if possible - selectable:
As SaT says: 6/12 months (for web), but also 2/3/ev.5 years for other applications.
See among others the following article at Heise:

https://www.heise.de/forum/heise-online/Kommentare/Browser-Hersteller-verkuerzen-Zertifikats-Lebensdauer-auf-ein-Jahr/Als-ob-nur-Webserver-Browser-Zertifikate-verwenden/posting-36927599/show/
(they write about smtp, imap, ftp, ldap, xmpp, stunnel, and others)

The selection (e.g. radio button) must clearly state "for all purposes, incl. https" or "not suitable for websites/https" next to the duration.

Ted

2020-08-09 09:25

administrator   ~0005900

I just had a look at Apple's page cited above. There the Statement is "This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS."

Chromium's statement is "Enforce publicly trusted TLS server certificates ...", which is not as specific as Apple's, but could be interpreted the same way...

jandd

2021-01-01 05:15

administrator   ~0005936

This is actually a software development issue because it needs changes to at least the signer client that currently determines the validity period of our certificates.

bdmc

2021-01-07 22:45

developer   ~0005942

jandd, have you created a Git branch for this yet?

jandd

2021-01-31 11:34

administrator   ~0005949

I just created https://github.com/CAcertOrg/cacert-devel/pull/23 for this

jandd

2021-01-31 11:35

administrator   ~0005950

Patch from the PR attached
0001-Reduce-the-lifetime-of-certificates-to-366-days.patch (1,089 bytes)   
From 2687e7ed7360d1c7e61064cea852daf4f91f6891 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sun, 31 Jan 2021 12:30:02 +0100
Subject: [PATCH] Reduce the lifetime of certificates to 366 days.

This commit fixes #1482 by setting the lifetime of certificates to 366
days. Updates to the user documentation and/or CPS might be required and
there is no distinction between client and server certificates because
the type of certificate is not known at that location of the code.

Fixes #1482, Relates to #1494, #775
---
 CommModule/client.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CommModule/client.pl b/CommModule/client.pl
index 0874477..7a1afbe 100755
--- a/CommModule/client.pl
+++ b/CommModule/client.pl
@@ -444,7 +444,7 @@ sub calculateDays($)
     my @sum = $dbh->selectrow_array("select sum(`points`) as `total` from `notary` where `to`='".$_[0]."' and `deleted`=0 group by `to`");
     SysLog("Summe: $sum[0]\n") if($debug);
 
-    return ($sum[0]>=50)?730:180;
+    return ($sum[0]>=50)?366:180;
   }
   return 180;
 }
-- 
2.29.2

Ted

2021-02-01 21:43

administrator   ~0005953

I'm afraid that this change has to be approved in the policy group.
The current CPS explicitly states a validity period of 24 months for assured members. The CPS can only be changed by the policy group, and we (as the software development group) are not allowed to install changes contradicting the CPS!

L10N

2021-09-01 22:49

reporter   ~0006084

That's an important hint, but I don't think it's an obstacle. If we offer our members 48 months, but optionally also shorter (longer?) terms, it should be possible.

( ) 5 years (not suitable for websites/https)
( ) 2 years (not suitable for websites/https)
( ) 1 year (for all purposes, incl. https)
( ) 6 months (for all purposes, incl. https)

Issue History

Date Modified Username Field Change
2020-06-27 09:30 SaT New Issue
2020-06-27 09:30 SaT Assigned To => jandd
2020-06-27 13:11 L10N Note Added: 0005894
2020-06-27 14:15 Ted Relationship added related to 0000775
2020-06-27 14:22 Ted Relationship added related to 0001464
2020-08-07 22:47 L10N Relationship added has duplicate 0001494
2020-08-09 09:25 Ted Note Added: 0005900
2021-01-01 05:15 jandd Note Added: 0005936
2021-01-07 22:45 bdmc Note Added: 0005942
2021-01-31 11:34 jandd Status new => fix available
2021-01-31 11:34 jandd Note Added: 0005949
2021-01-31 11:35 jandd Note Added: 0005950
2021-01-31 11:35 jandd File Added: 0001-Reduce-the-lifetime-of-certificates-to-366-days.patch
2021-02-01 21:43 Ted Note Added: 0005953
2021-02-04 08:02 jandd Project Infrastructure host => Main CAcert Website
2021-02-04 08:02 jandd Category general => General
2021-09-01 22:49 L10N Note Added: 0006084