[Cscwg-public] Invalidity Date
Bruce Morton
Bruce.Morton at entrust.com
Wed Aug 25 17:59:07 UTC 2021
CSBR 13.2.1 states: A Certificate MAY have a one-to-one relationship or one-to-many relationship with the signed Code. Regardless, revocation of a Certificate may invalidate the Code Signatures on all signed Code, some of which could be perfectly sound. Because of this, the CA MAY specify a revocation date in a CRL or OCSP response to time-bind the set of software affected by the revocation, and software should continue to treat objects containing a timestamp dated before the revocation date as valid.
The CSBRs are referring to "revocation date', which I believe should be referring to "invalidity date" as specified in RFC 5280, https://datatracker.ietf.org/doc/html/rfc5280#section-5.3.2.
Note that we need to think of the following dates:
* Valid from
* Invalidity date
* Revocation date
* Valid to
The purpose of the Invalidity date is to provide a date in the past, when the key was compromised. The revocation date would be on the date that the certificate was revoked and cannot be a past date.
Would there be any objections in changing "revocation date" to "invalidity date" in a future ballot?
Thanks, Bruce
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210825/a021bb8a/attachment.html>
More information about the Cscwg-public
mailing list