[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable
Gervase Markham
gerv at mozilla.org
Fri Nov 29 09:16:16 UTC 2013
On 28/11/13 22:47, Rob Stradling wrote:
> If Mozilla consider backdating notBefore dates to be a potentially
> problematic practice, then I'd expect to see it mentioned here...
> https://wiki.mozilla.org/CA:Problematic_Practices
>
> ;-)
That's an entirely reasonable point :-)
> When the Precertificate mechanism is used, then yes, because the logging
> of the Precertificate occurs during the issuance of the certificate.
>
> But when the Precertificate mechanism is not used, CT will only tell you
> when the certificate was first publicly logged. It won't tell you when
> the certificate was issued.
If public logging is required to actually use the certificate, then I
expect the issue time and the public log time to be as near as makes no
practical difference in the vast majority of cases. Even certs issued a
little bit ahead of time in order that they can be swapped over will
probably get logged immediately.
Gerv
More information about the Public
mailing list