[cabfpub] Ballot 111 - Accelerate Max Certificate Lifetime Reduction Timetable

Rob Stradling rob.stradling at comodo.com
Fri Nov 29 11:24:10 UTC 2013

On 29/11/13 09:16, Gervase Markham wrote:
> On 28/11/13 22:47, Rob Stradling wrote:
>> But when the Precertificate mechanism is not used, CT will only tell you
>> when the certificate was first publicly logged.  It won't tell you when
>> the certificate was issued.
> If public logging is required to actually use the certificate, then I
> expect the issue time and the public log time to be as near as makes no
> practical difference in the vast majority of cases. Even certs issued a
> little bit ahead of time in order that they can be swapped over will
> probably get logged immediately.

Probably, yes.  But I can imagine the occasional, entirely innocent, 
edge case...

You mentioned in [1] that some website operators might want to pin a 
"backup provider", presumably to guard against the possibility that 
their preferred CA's Roots might become untrusted.

Related to that, some website operators might buy multiple certs for the 
same domain, intending all but one of those certs to be "backup certs" 
that probably won't ever get used.  If a "backup cert" does ever get 
used, it might only get logged a considerable amount of time after it 
was issued.

[1] http://www.ietf.org/mail-archive/web/websec/current/msg01873.html

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list