[cabfpub] Short-Lived Certs - the return
Gervase Markham
gerv at mozilla.org
Fri Mar 13 16:40:54 MST 2015
On 10/03/15 11:14, Jeremy Rowley wrote:
> *_Short-Lived Certificate_*_: An end-entity Certificate containing a
> validity period of 72 hours or less and where the Certificate is issued
> by the CA within 24-hours after the nonBefore Date listed in the
> Certificate._
In my proposal, at least, it was 73 hours, and the CA was supposed to
issue around 24.5 hours after the notBefore date they were using (or, to
put it another way, set notBefore to 24.5 hours before the issue time).
This would make the lifetime of the cert for clients with accurate
clocks just over 2 days, with an expectation that it would be replaced
after 1 day.
If you say "within 24 hours", a) that means they can't do 24.5, and b)
it means they can do 0, which gives a 3-day lifetime, 50% longer than my
proposal.
So I'd write:
"An end-entity Certificate containing a validity period of 73 hours or
less and where the notBefore date listed in the Certificate is set to
between 24 and 25 hours before the time of issuance."
Gerv
More information about the Public
mailing list