[cabfpub] Short-Lived Certificate Draft Ballot

Tim Hollebeek THollebeek at trustwave.com
Thu Oct 8 18:43:11 UTC 2015

Actually, I prefer the current definition of Validity Period, as it accurately reflects the amount of time the certificate was valid, as opposed to that time plus some additional time during which the certificate didn't even exist, but is valid only to support relying parties who are confused about what time it is.


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Rob Stradling
Sent: Thursday, October 08, 2015 6:19 PM
To: Jeremy Rowley; public at cabforum.org
Subject: Re: [cabfpub] Short-Lived Certificate Draft Ballot

On 08/10/15 08:43, Jeremy Rowley wrote:
> Here’s the draft ballot for short-lived certs. Let me know if you have
> any requested changes and (for the endorsers) whether the endorsements
> stand with this language. Thanks!
> *Ballot XXX – Short-Lived Certificates*
> The following motion has been proposed by Jeremy Rowley of DigiCert
> and endorsed by Ryan Sleevi of Google and Gervase Markham of Mozilla.
> *Definitions:*
> **

Hi Jeremy.  I think these Definitions can be improved...

> _Issuance Time: The time when a digital signature is applied to a
> Certificate by the Issuing CA._

It's the TBSCertificate, not the Certificate, that is signed by the Issuing CA.

Also, ISTM that that definition is describing the time at which the Issuing CA bolts together the TBSCertificate and the signature to produce the Certificate.  That usually happens immediately after the signature has been calculated, but this is not guaranteed.

Also, " by the Issuing CA" seems at best redundant, and at worst unhelpful.  I think DigiNotar could've argued that the certs their CA system misissued were _not_ issued "by the Issuing CA" organization, because it was individuals who were not authorized "by the Issuing CA"
organization that caused the certs to be issued.
However, DigiNotar could not have argued that the misissued certs were not issued!

So I propose this definition...

   "Issuance Time: The time at which a Certificate's digital signature
    is calculated."

> *__*
> _Short-Lived Certificate: A Certificate with a total validity period
> less than 96 hours and a notBefore time no earlier than 24 hours
> before the Issuance Time and a notAfter time no later than 72 hours
> after the Issuance Time._

"total" seems redundant.

Also, "Validity Period" is already a Defined Term.  It would make sense to use it!  The current definition...
   "Validity Period: The period of time measured from the date when the
    Certificate is issued until the Expiry Date."
...seems wrong though.  Shouldn't it be the period of time between notBefore and notAfter?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Public mailing list
Public at cabforum.org


This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

More information about the Public mailing list