[cabfpub] Short-Lived Certificate Draft Ballot
rob.stradling at comodo.com
Thu Oct 8 08:19:06 MST 2015
On 08/10/15 08:43, Jeremy Rowley wrote:
> Here’s the draft ballot for short-lived certs. Let me know if you have
> any requested changes and (for the endorsers) whether the endorsements
> stand with this language. Thanks!
> *Ballot XXX – Short-Lived Certificates*
> The following motion has been proposed by Jeremy Rowley of DigiCert and
> endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.
> -- MOTION BEGINS –
Hi Jeremy. I think these Definitions can be improved...
> _Issuance Time: The time when a digital signature is applied to a
> Certificate by the Issuing CA._
It's the TBSCertificate, not the Certificate, that is signed by the
Also, ISTM that that definition is describing the time at which the
Issuing CA bolts together the TBSCertificate and the signature to
produce the Certificate. That usually happens immediately after the
signature has been calculated, but this is not guaranteed.
Also, " by the Issuing CA" seems at best redundant, and at worst
unhelpful. I think DigiNotar could've argued that the certs their CA
system misissued were _not_ issued "by the Issuing CA" organization,
because it was individuals who were not authorized "by the Issuing CA"
organization that caused the certs to be issued.
However, DigiNotar could not have argued that the misissued certs were
So I propose this definition...
"Issuance Time: The time at which a Certificate's digital signature
> _Short-Lived Certificate: A Certificate with a total validity period
> less than 96 hours and a notBefore time no earlier than 24 hours before
> the Issuance Time and a notAfter time no later than 72 hours after the
> Issuance Time._
"total" seems redundant.
Also, "Validity Period" is already a Defined Term. It would make sense
to use it! The current definition...
"Validity Period: The period of time measured from the date when the
Certificate is issued until the Expiry Date."
...seems wrong though. Shouldn't it be the period of time between
notBefore and notAfter?
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public