[cabfpub] Short-Lived Certificate Draft Ballot

Rob Stradling rob.stradling at comodo.com
Thu Oct 8 15:19:06 UTC 2015

On 08/10/15 08:43, Jeremy Rowley wrote:
> Here’s the draft ballot for short-lived certs. Let me know if you have
> any requested changes and (for the endorsers) whether the endorsements
> stand with this language. Thanks!
> *Ballot XXX – Short-Lived Certificates*
> The following motion has been proposed by Jeremy Rowley of DigiCert and
> endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.
> *Definitions:*
> **

Hi Jeremy.  I think these Definitions can be improved...

> _Issuance Time: The time when a digital signature is applied to a
> Certificate by the Issuing CA._

It's the TBSCertificate, not the Certificate, that is signed by the 
Issuing CA.

Also, ISTM that that definition is describing the time at which the 
Issuing CA bolts together the TBSCertificate and the signature to 
produce the Certificate.  That usually happens immediately after the 
signature has been calculated, but this is not guaranteed.

Also, " by the Issuing CA" seems at best redundant, and at worst 
unhelpful.  I think DigiNotar could've argued that the certs their CA 
system misissued were _not_ issued "by the Issuing CA" organization, 
because it was individuals who were not authorized "by the Issuing CA" 
organization that caused the certs to be issued.
However, DigiNotar could not have argued that the misissued certs were 
not issued!

So I propose this definition...

   "Issuance Time: The time at which a Certificate's digital signature
    is calculated."

> *__*
> _Short-Lived Certificate: A Certificate with a total validity period
> less than 96 hours and a notBefore time no earlier than 24 hours before
> the Issuance Time and a notAfter time no later than 72 hours after the
> Issuance Time._

"total" seems redundant.

Also, "Validity Period" is already a Defined Term.  It would make sense 
to use it!  The current definition...
   "Validity Period: The period of time measured from the date when the
    Certificate is issued until the Expiry Date."
...seems wrong though.  Shouldn't it be the period of time between 
notBefore and notAfter?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list