<div dir="ltr"><div>I'm also interested in how this language on Mozilla's wiki might be supplemented with better guidance -- "Minor tweaking for technical compatibility reasons is accepted, but
backdating certificates in order to avoid some deadline, prohibition, or
code-enforced restriction is not." <a href="https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date">https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date</a><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 4, 2023 at 8:39 AM Martijn Katerbarg via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg6855427169104933928"><div lang="en-SE" style="overflow-wrap: break-word;"><div class="m_6855427169104933928WordSection1"><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">On the back of this, and the discussion that was held during the last call, I’ve created a proposed language update to address this. Please find this available for discussion at <a href="https://github.com/cabforum/smime/pull/217" target="_blank">https://github.com/cabforum/smime/pull/217</a><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Regards,<br><br>Martijn<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><div id="m_6855427169104933928mail-editor-reference-message-container"><div><div style="border-width:1pt medium medium;border-style:solid none none;border-color:rgb(181,196,223) currentcolor currentcolor;padding:3pt 0cm 0cm"><p class="MsoNormal" style="margin-bottom:12pt"><b><span style="font-size:12pt;color:black">From: </span></b><span style="font-size:12pt;color:black">Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org" target="_blank">smcwg-public-bounces@cabforum.org</a>> on behalf of Martijn Katerbarg via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>><br><b>Date: </b>Wednesday, 20 September 2023 at 11:26<br><b>To: </b>SMIME Certificate Working Group <<a href="mailto:smcwg-public@cabforum.org" target="_blank">smcwg-public@cabforum.org</a>><br><b>Subject: </b>[Smcwg-public] Backdating S/MIME revocations<u></u><u></u></span></p></div><div style="border:1pt solid black;padding:2pt"><p class="MsoNormal" style="line-height:12pt;background:rgb(250,250,3)"><span style="color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<u></u><u></u></span></p></div><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><div><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Hi all,</span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Within our compliance team, we recently had a discussion around the way we handle revocation dates. </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Code Signing certificates, CAs are required to keep the time encoded in the InvalidityDate extension and revocationDate field the same. Additionally, if a CA deems that a historic date should be set, for example due to a key compromise having occurred a while ago, CAs are required to backdate the value.</span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">For TLS Certificates, CAs should set the revocationDate value for the date and time when revocation occurred, however, CAs are allowed to backdate if deemed appropriate.</span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Both of these documents state that this is a deviation/exception to best practices described in RFC5280.</span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">However when we look at the SBRs, we could not find any such language that would clarify if and when backdating is allowed. I’m wondering if there’s been any discussion in the past around this, if this was left out on purpose, or if we missed this?</span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Likewise, I’m wondering how other issuers and consumers look at this, and if we want to add some clarifying language in the SBRs. I’m inclined to say that backdating revocation is something we should be supporting.</span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt"> </span><span style="font-size:11pt"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-US" style="font-size:11pt">Regards,<br><br>Martijn </span><span style="font-size:11pt"><u></u><u></u></span></p></div></div></div></div></div>_______________________________________________<br>
Smcwg-public mailing list<br>
<a href="mailto:Smcwg-public@cabforum.org" target="_blank">Smcwg-public@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/smcwg-public" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/smcwg-public</a><br>
</div></blockquote></div>