[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Rob Stradling rob.stradling at comodo.com
Thu Nov 28 22:47:10 UTC 2013

On 28/11/13 22:27, Gervase Markham wrote:
> On 28/11/13 22:21, Rob Stradling wrote:
>> Hmmm...might that just encourage some CAs to "backdate" the notBefore
>> date and carry on issuing 60-month certs beyond April 2014?
> I'm fairly sure that we would look very dimly on a CA which attempted to
> work round our desired restrictions in this manner.

Sure.  But it'd be nice if you could say "You've broken Rule X" rather 
than "You've not actually broken any rules, but we really don't like 
what you've done".

If Mozilla consider backdating notBefore dates to be a potentially 
problematic practice, then I'd expect to see it mentioned here...


> I'd like it if proper cert issuance dates were available; I believe CT
> will give us that.

When the Precertificate mechanism is used, then yes, because the logging 
of the Precertificate occurs during the issuance of the certificate.

But when the Precertificate mechanism is not used, CT will only tell you 
when the certificate was first publicly logged.  It won't tell you when 
the certificate was issued.

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list