[cabfpub] Ballot proposal for Issuance Date

Peter Bowen pzb at amzn.com
Tue Sep 27 10:18:04 MST 2016 

It means that the tbsCertificate contains a cryptographically signed timestamp.

This could be a SCT from a CT log or a RFC 3161 timestamp or even an Authenicode timestamp. It also does not require multiple timestamps, so you could include one SCT in the certificate and others via the handshake.

Thanks,
Peter

> On Sep 27, 2016, at 10:09 AM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> What does "included in the certificate" mean in this case?  Do SCTs included
> as an extension or as part of stapled OCSP response count? If not, this
> proposal will force CT over to embedment only.
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Rob Stradling
> Sent: Friday, September 23, 2016 4:04 AM
> To: Gervase Markham <gerv at mozilla.org>; Peter Bowen <pzb at amzn.com>; CABFPub
> <public at cabforum.org>
> Subject: Re: [cabfpub] Ballot proposal for Issuance Date
> 
> CT permits, but doesn't require, SCTs to be embedded in the cert.  SCTs can
> be provided via OCSP Stapling or a custom TLS extension instead.
> 
> So ISTM that we should consider defining an Issuance Time certificate
> extension.  It might be useful even after we reach the point that CT is
> required for all publicly-trusted serverAuth certs.
> 
> On 23/09/16 09:55, Gervase Markham wrote:
>> On 23/09/16 00:02, Peter Bowen wrote:
>>> Definitions:
>>> (new) Issuance Date: The latest of the notBefore value of a 
>>> certificate and the time value of any cryptographically signed 
>>> timestamps included in a certificate
>> 
>> This is a clever definition because if you just have a notBefore, the 
>> Issuance Date is the notBefore, but if you need to fiddle the 
>> notBefore for compatibility reasons, you can do so by including any 
>> form of cryptographically signed timestamp - which can be an SCT or 
>> anything else you choose.
>> 
>> We could just require CT for such certs, but this definition gives 
>> more flexibility. However, when CT is used everywhere, the definition 
>> still works without modification.
>> 
>> So I like it :-)
>> 
>> Gerv
> 
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list