[cabfpub] Short-Lived Certificate Draft Ballot
rob.stradling at comodo.com
Thu Oct 8 15:34:19 MST 2015
On 08/10/15 19:51, Ryan Sleevi wrote:
> On Thu, Oct 8, 2015 at 8:19 AM, Rob Stradling wrote:
> So I propose this definition...
> "Issuance Time: The time at which a Certificate's digital signature
> is calculated."
> Seems reasonable. Glad to not be the only one who quibbles on minutiae ;)
> > *__*
> > _Short-Lived Certificate: A Certificate with a total validity period
> > less than 96 hours and a notBefore time no earlier than 24 hours before
> > the Issuance Time and a notAfter time no later than 72 hours after the
> > Issuance Time._
> "total" seems redundant.
> Fair point
> Also, "Validity Period" is already a Defined Term. It would make sense
> to use it! The current definition...
> "Validity Period: The period of time measured from the date when the
> Certificate is issued until the Expiry Date."
> ...seems wrong though. Shouldn't it be the period of time between
> notBefore and notAfter?
> It seems the whole "total validity period less than 96 hours" is itself
> not a normative requirement, but merely serves as a descriptive language
> to make it easier to understand the following two clauses (re: 24 hours
> and 72 hours). You can't have a cert whose Validity Period is greater
> than 96 hours that meets those two definitions, so it's not necessary,
> but it does serve an illustrative point.
> That's me saying that it doesn't seem that your second proposed change
> is necessary, and Tim's point about why the current language is what it
> is is something I'd agree with.
"The validity period for a certificate is the period of time from
notBefore through notAfter, inclusive."
In the interest of avoiding confusion, consistency would be nice.
Could we change "Validity Period" to match RFC5280, and then define a
new term(*) that means "from Issuance Time to Expiry Date, inclusive"?
(*) How about "Certificate Usage Period" ?
(Inspired by RFC2459 section 18.104.22.168)
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public