<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Oct 6, 2015 at 3:21 AM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72">
<div>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Yes – it’s backwards. That was an error on my part. The rationale on 48 hours from issuance is that we’ve always talked about 3 days – 1 on the backend and 2 on the front. 48 was picked as a starting point
for discussion purposes, not as the final proposal. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)">Other items mentioned by Doug previous that need to be addressed include:<u></u><u></u></span></p>
<p><u></u><span style="color:rgb(31,73,125)"><span>1)<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="color:rgb(31,73,125)">The timeframe should be based on notBefore since issuance date isn’t defined
<u></u><u></u></span></p>
<p><u></u><span style="color:rgb(31,73,125)"><span>2)<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="color:rgb(31,73,125)">Simply state that short-lived certs cannot be generated more than 24 hours before the notBefore date</span></p></div></div></blockquote></div>There is still a need to define issuance date/time. Otherwise, you could not specify the requirements for how far in the past/future notBefore must be. And, that would make the requirements for notAfter murky too.</div><div class="gmail_extra"><br></div><div class="gmail_extra">I suggest that issuance time IT be defined as the time the CA signed the certificate with its private key. The certificate's notBefore time NB must be not be more than 24 hours earlier than IT and must not be more than 24 hours after IT. Similarly, the certificate's notAfter NA time must be no more than 48 hours after IT.</div><div class="gmail_extra"><br></div><div class="gmail_extra">That is, all the following must be true:</div><div class="gmail_extra">NB < NA</div><div class="gmail_extra">NB >= IT - 24</div><div class="gmail_extra">NB <= IT + 24</div><div class="gmail_extra">NA <= IT + 48.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Note that I chose the values "24" and "48" for consistency with what you chose. I don't know if "24" and "48" are the best choices. However, the current minimum OCSP staleness is not a good choice because it is too long. We should, instead, shorten the maximum OCSP staleness.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">Brian<br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><a href="https://briansmith.org/" target="_blank">https://briansmith.org/</a></div><div><br></div></div></div></div></div></div></div>
</div></div>