[cabfpub] Short lived certificates

Brian Smith brian at briansmith.org
Tue Oct 6 20:24:23 UTC 2015

On Tue, Oct 6, 2015 at 3:21 AM, Jeremy Rowley <jeremy.rowley at digicert.com>

> Yes – it’s backwards.  That was an error on my part. The rationale on 48
> hours from issuance is that we’ve always talked about 3 days – 1 on the
> backend and 2 on the front.  48 was picked as a starting point for
> discussion purposes, not as the final proposal.
> Other items mentioned by Doug previous that need to be addressed include:
> 1)      The timeframe should be based on notBefore since issuance date
> isn’t defined
> 2)      Simply state that short-lived certs cannot be generated more than
> 24 hours before the notBefore date
There is still a need to define issuance date/time. Otherwise, you could
not specify the requirements for how far in the past/future notBefore must
be. And, that would make the requirements for notAfter murky too.

I suggest that issuance time IT be defined as the time the CA signed the
certificate with its private key. The certificate's notBefore time NB must
be not be more than 24 hours earlier than IT and must not be more than 24
hours after IT. Similarly, the certificate's notAfter NA time must be no
more than 48 hours after IT.

That is, all the following must be true:
NB >= IT - 24
NB <= IT + 24
NA <= IT + 48.

Note that I chose the values "24" and "48" for consistency with what you
chose. I don't know if "24" and "48" are the best choices. However, the
current minimum OCSP staleness is not a good choice because it is too long.
We should, instead, shorten the maximum OCSP staleness.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151006/4c89b65f/attachment-0003.html>

More information about the Public mailing list