[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Gervase Markham gerv at mozilla.org
Fri Nov 29 09:16:16 UTC 2013


On 28/11/13 22:47, Rob Stradling wrote:
> If Mozilla consider backdating notBefore dates to be a potentially
> problematic practice, then I'd expect to see it mentioned here...
> https://wiki.mozilla.org/CA:Problematic_Practices
> 
> ;-)

That's an entirely reasonable point :-)

> When the Precertificate mechanism is used, then yes, because the logging
> of the Precertificate occurs during the issuance of the certificate.
> 
> But when the Precertificate mechanism is not used, CT will only tell you
> when the certificate was first publicly logged.  It won't tell you when
> the certificate was issued.

If public logging is required to actually use the certificate, then I
expect the issue time and the public log time to be as near as makes no
practical difference in the vast majority of cases. Even certs issued a
little bit ahead of time in order that they can be swapped over will
probably get logged immediately.

Gerv



More information about the Public mailing list