<div dir="ltr"><div dir="ltr" class="gmail_attr">On Wed, Oct 9, 2019 at 1:57 PM Houle, Todd - 1120 - MITLL <<a href="mailto:Todd.Houle@ll.mit.edu">Todd.Houle@ll.mit.edu</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_1252911017443354614WordSection1"><p class="MsoNormal"><span style="font-size:11pt"><a href="https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/" target="_blank">https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/</a><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I know Mozilla is supporting these requirements on Root CA’s that it distributes. Anything about end entity certs? Will or does Firefox require the same configuration on those? </span></p></div></div></blockquote><div><br></div><div>The CA/Browser Forum lifetime requirements only apply to end-entity certificates. Mozilla enforces these requirements on CAs that are included in our root store via policy, and we've found this to be effective. We also technically limit the lifetime of EV certificates in Firefox, but we currently have no plans to do the same for all certificates.<br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_1252911017443354614WordSection1"><p class="MsoNormal"><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I know Apple is including this requirement for its OS (Safari) for 10.15. Has Google Chrome also implemented this into their certificate validation? </span></p></div></div></blockquote><div><br></div><div>Chrome has in the past enforced end-entity certificate lifetime in code, but you'll need to confirm that with the Chrome team.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_1252911017443354614WordSection1"><p class="MsoNormal"><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">Thank you, everyone<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"> Todd<u></u><u></u></span></p></div></div>
_______________________________________________<br>
Enterprise mailing list<br>
<a href="mailto:Enterprise@mozilla.org" target="_blank">Enterprise@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a><br>
<br>
To unsubscribe from this list, please visit <a href="https://mail.mozilla.org/listinfo/enterprise" rel="noreferrer" target="_blank">https://mail.mozilla.org/listinfo/enterprise</a> or send an email to <a href="mailto:enterprise-request@mozilla.org" target="_blank">enterprise-request@mozilla.org</a> with a subject of "unsubscribe"<br>
</blockquote></div></div>