[cabfpub] Short-Lived Certs - the return
gerv at mozilla.org
Fri Mar 13 23:40:54 UTC 2015
On 10/03/15 11:14, Jeremy Rowley wrote:
> *_Short-Lived Certificate_*_: An end-entity Certificate containing a
> validity period of 72 hours or less and where the Certificate is issued
> by the CA within 24-hours after the nonBefore Date listed in the
In my proposal, at least, it was 73 hours, and the CA was supposed to
issue around 24.5 hours after the notBefore date they were using (or, to
put it another way, set notBefore to 24.5 hours before the issue time).
This would make the lifetime of the cert for clients with accurate
clocks just over 2 days, with an expectation that it would be replaced
after 1 day.
If you say "within 24 hours", a) that means they can't do 24.5, and b)
it means they can do 0, which gives a 3-day lifetime, 50% longer than my
So I'd write:
"An end-entity Certificate containing a validity period of 73 hours or
less and where the notBefore date listed in the Certificate is set to
between 24 and 25 hours before the time of issuance."
More information about the Public