[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable
Rob Stradling
rob.stradling at comodo.com
Thu Nov 28 22:47:10 UTC 2013
On 28/11/13 22:27, Gervase Markham wrote:
> On 28/11/13 22:21, Rob Stradling wrote:
>> Hmmm...might that just encourage some CAs to "backdate" the notBefore
>> date and carry on issuing 60-month certs beyond April 2014?
>
> I'm fairly sure that we would look very dimly on a CA which attempted to
> work round our desired restrictions in this manner.
Sure. But it'd be nice if you could say "You've broken Rule X" rather
than "You've not actually broken any rules, but we really don't like
what you've done".
If Mozilla consider backdating notBefore dates to be a potentially
problematic practice, then I'd expect to see it mentioned here...
https://wiki.mozilla.org/CA:Problematic_Practices
;-)
> I'd like it if proper cert issuance dates were available; I believe CT
> will give us that.
When the Precertificate mechanism is used, then yes, because the logging
of the Precertificate occurs during the issuance of the certificate.
But when the Precertificate mechanism is not used, CT will only tell you
when the certificate was first publicly logged. It won't tell you when
the certificate was issued.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list