[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Aug 7 08:12:27 UTC 2013

On 08/07/2013 08:50 AM, From kirk_hall at trendmicro.com:
> I can say that the only explicit requirement included in the initial 
> BRs about maximum validity period for certs is BR 9.4 – and by its 
> terms, it clearly does not apply to certs issued or agreements made 
> before the effective date of the BRs.

Correct me if I'm wrong, but this doesn't apply to the specific 
certificate we discussed here (as brought forward by Ryan). It was 
apparently issued this year, so whatever your stance is for certificates 
issued before 2012 June, it's not relevant here.

Of course it's easy to change the notbeforeDate in a certificate to 
anywhere sometime before the BR was enforced. Those CAs that comply to 
the BRs requirements will certainly appreciate it.

And since you are surprised about the logical expectation as we've 
discussed it extensively, why do you think the BR has a staged approach 
for long-living certificates - first to 60 month and then to 39 month? 
What could be the reason for it?

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130807/e339f4ed/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130807/e339f4ed/attachment-0001.p7s>

More information about the Public mailing list