Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Creation of the Baseline Requirements - V1 (BR1 standard) by the CA/B Forum

On November 2011 the CA/Browser Forum voted new standards concerning SSL certificates. They will be applied as of July 2012 and define:

  • The end of 5 or 6 years valid Certificates (Symantec will apply this rule on June 2012. As of May 2012 it won't be possible to obtain a GlobalSign certificate valid more than 60 months). From 2015 it won't be possible to issue certificates valid more than 39 months.

  • The impossibility to issue a certificate for an internal name (see here)

  • Documents more than 39 months old won't be accepted anymore

  • Each certificate will have to cary, at least, one SAN field holding the main domain (free) indicated in the CN field

Those new rules will harmonize the issuance procedures of non-EV SSL certificates on several levels:

Identity vetting, certificates content, CAs security, revokation mecanisms, algorithms uses and key lengths, audit procedures, confidentiality, delegation (for Registration Authorities).

The goal is to provide a better structure for SSL certificates issuance by creating a real cohesion of worldwide audit procedures to prevent the oncoming IT threats.

Reminder: In 2006, the Extended Validation certificate (displaying the green bar) was created by the CA/B forum and is still the only efficient tool against phishing.

20141016 - The end of SHA1 added to BR1 standards

After the announcement of Microsoft, Google or Mozilla to depreciate SHA1 in the next few months or years, it has been officially announced by the CA/B forum that SHA1 will no longer be accepted after December 31, 2014.It is no longer possible to obtain a SHA1 certificate expiring after this date and no SHA1 certificate will be delivered after January 1st, 2016.

SHA256 then becomes the recommanded hash algorithm.

External links