[Smcwg-public] Backdating S/MIME revocations

Martijn Katerbarg martijn.katerbarg at sectigo.com
Wed Sep 20 09:25:58 UTC 2023


Hi all, 

Within our compliance team, we recently had a discussion around the way we handle revocation dates. 

Code Signing certificates, CAs are required to keep the time encoded in the InvalidityDate extension and revocationDate field the same. Additionally, if a CA deems that a historic date should be set, for example due to a key compromise having occurred a while ago, CAs are required to backdate the value. 

For TLS Certificates, CAs should set the revocationDate value for the date and time when revocation occurred, however, CAs are allowed to backdate if deemed appropriate. 

Both of these documents state that this is a deviation/exception to best practices described in RFC5280. 

However when we look at the SBRs, we could not find any such language that would clarify if and when backdating is allowed. I’m wondering if there’s been any discussion in the past around this, if this was left out on purpose, or if we missed this? 

Likewise, I’m wondering how other issuers and consumers look at this, and if we want to add some clarifying language in the SBRs. I’m inclined to say that backdating revocation is something we should be supporting. 

Regards,

Martijn 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230920/245d782c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230920/245d782c/attachment.bin>


More information about the Smcwg-public mailing list