That doesn’t sound fair. Casey Crane is even-handed- Google Chrome to Join Apple’s Safari in One Year Certificate Validity: One year validity for SSL/TLS certificates has been a hot topic of conversation within the CA/B Forum for years. However, Apple decided to act unilaterally. In a vote last year, the CAs won and the browser makers lost. CAs that shorter validity creates more work for IT companies. Traditionally, the validity period of certificates is decided by a body known as the CA/B Forum, comprising a mix of Certificate Authorities (CAs) – the companies which issue the certificates – and browser makers. … Apple will only accept … certificates as valid if they were issued within the past 13 months. Spokespeople for Mozilla and Google were not available for further comment.Īnd Ben Lovejoy adds- After Safari boosts HTTPS protections, other browsers follow: Back in February, Apple announced plans to boost HTTPS protections in Safari, with effect from September 1.
… All eyes are on Microsoft, which is expected to make a decision … by the Fall. Certificates that violate this will be rejected with ERR_CERT_VALIDITY_TOO_LONG and will be treated as misissued.” And Mozilla is preparing to adopt the policy in its Firefox browser. Google's Chrome is set to follow suit, judging by this commit to the Chromium … code last week: “Enforce publicly trusted TLS server certificates have a lifetime of 398 days or less, if they are issued on or after. … Suffice to say, certificate sellers were irritated by the change. Users may see error messages or notice connections fail and services break.Ĭritics, particularly commercial certificate sellers, say it burdens software makers and site owners with extra costs and hassle, and will drive folks to free services, such as Let's Encrypt – which, incidentally, offers tools to regularly and automatically renew certificates at no cost. What’s the craic? Shaun Nichols reports- From Sept 1, new TLS certificates valid for more than 398 days will be snubbed: For developers and site admins, that means if you're creating or renewing certs after September 1, make sure they expire within … 398 days … or they won't work as you expect in Safari, on iOS, and with other Apple software. Your humble blogwatcher curated these bloggy bits for your entertainment. Outrageous! In this week’s Security Blogwatch, we play both sides. And then Google and Mozilla followed suit. Apple did it unilaterally-despite the proposal being voted down in CA/B. Wait, when was that agreed? Um, funny thing: It wasn’t. If it’s longer, browsers and other HTTPS code will reject the cert as invalid. That’s right: 398 days is the maximum length for a publicly issued server cert. Any cert issued after next month needs to last no longer than a year (plus a month’s grace). If you use TLS certificates with long validity periods, then listen up.
0 kommentar(er)
