Mozilla May Limit Certificate Validity to 60 Months
Due to recent events, which saw attackers and certificate authorities employing stolen digital certificates, Google and Mozilla, two major IT companies, decided to implicate new rules to their internet browsers. They will reconsider the time end-entity certificates are trusted.
From the year of 2014 Google Chrome will consider any certificate which is older that 60 months as expired. Although Mozilla haven’t revealed such information about their plans, it is believed that they will take similar measures. These modifications were made after CA/Browser Forum released Baseline Requirements. It is a document which describes the requirements for issuance of certificates and operation of a certificate authority. According to the latter document, all CAs issued certificates should expire in 5 years. Google representative, Ryan Sleevi, on August 19 reassured that the IT giant will pursue the new policy. Chrome and Chrome OS will be adapted to the new requisitions from the start of 2014. At first the software will be tested in Developer and Beta channel builds, and the Stable channel should be released in the first quarter of 2014.
Sleevi added that due to these checks which will be introduced to Chromium repository from the start of 2014, certificates issued after the Baseline Requirements Effective Date of 2012-07-01, or the ones which exceeded the 60 month period, will be considered as invalid and will be rejected. According to Sleevi those changes will be tested on the Developer and Beta versions at first, before moving on to the Stable version. The latter one should be released in the first quarter of 2014. The developers behind at Mozilla don’t want to fall behind either. They are planning to make same modifications to Firefox. As a result, an entry in Bugzilla change system was created.
Certificate authorities had a hard time during last two years, starting with the attacks on DigiNotar and Comodo and ending with the fact that stolen digital certificates were used in a vast number of malware. As a result of the attacks on CAs companies behind internet browsers had a lot of things to fix. They had to remove the compromised certificates from the trusted list, and protect users from the attackers which were using the bad certificates. Unfortunately, the newly adopted policy won’t solve the previously mentioned issues. Nevertheless, by implicating new rules the continuous reuse of approved certificates will be limited. This should have a positive impact to the Internet safety.