[cabfpub] Ballot proposal for Issuance Date
Jeremy Rowley
jeremy.rowley at digicert.com
Thu Sep 22 22:03:01 MST 2016
Ah - I was wondering if you meant a time stamp in addition to a CT time stamp or whether CT logging would qualify. In that case, why not simply require all certs be logged with a CT? Is this simply a temporary step until CT is ready for a larger scale deployment?
> On Sep 23, 2016, at 3:52 AM, Peter Bowen <pzb at amzn.com> wrote:
>
>
>> On Sep 22, 2016, at 4:29 PM, Ryan Sleevi <sleevi at google.com> wrote:
>>
>>
>>
>> On Thu, Sep 22, 2016 at 4:24 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>> Sorry - jumped to conclusions early on when I saw the title...
>>
>> Doesn't that make the cert bigger? Seems like a better solution to simply include an issuance time rather than another signed data structure. Companies already complain about cert size all the time.
>>
>> Companies complain about _unnecessary_ cert size all the time (e.g. unnecessary CPS statements).
>>
>> This has clear value for the ecosystem. And the cost is only borne in the backdating case.
>
> And is only extra size if the cert is not already embedding a cryptographically signed timestamp. SCTs for Certificate Transparency are a type of cryptographically signed timestamp, so any cert with them already has what is needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2241 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160923/fed18a2f/attachment.bin
More information about the Public
mailing list