[cabfpub] Ballot proposal for Issuance Date

Peter Bowen pzb at amzn.com
Thu Sep 22 23:22:48 UTC 2016


Jeremy,

The Issuance Date I proposed is explicitly not the notBefore date.  If you want to put the notBefore date 30 days before when you sign the certificate, that is fine.  However you need to include a cryptographically signed timestamp in the certificate that is close to the time when you signed it.  This could be a Signed Certificate Timestamp (from CT), a RFC 3161 timestamp from a Timestamp Authority, or some other format.  This then becomes the “issuanceTime” field.

How does this conflict with RFC 5280?

Thanks,
Peter

> On Sep 22, 2016, at 4:14 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> Last time this came up, I proposed that instead of overwriting RFC 5280's
> meaning of the notBefore date, we should include a issuanceTime field that
> indicates the time of certificate issuance.  That way we avoid conflict with
> the RFCs and have more flexibility with notBefore to address possible clock
> skew issues. I still support an issuanceTime field over creating a
> conflicting definition with the RFC.
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Peter Bowen
> Sent: Thursday, September 22, 2016 5:02 PM
> To: CABFPub <public at cabforum.org>
> Subject: [cabfpub] Ballot proposal for Issuance Date
> 
> I would like to propose a change to cover a current gap in the BRs.  Right
> now there is no clear link from content in the certificate to the date of
> issuance of the certificate.  I would propose the following change to the
> BR.  Note that this intentionally only covers Subscriber (End-entity)
> certificates, not CA certificates.
> 
> What do others think?
> 
> Definitions:
> (new) Issuance Date: The latest of the notBefore value of a certificate and
> the time value of any cryptographically signed timestamps included in a
> certificate
> 
> (modified) Validity Period: The period of time measured from the Issuance
> Date of a Certificate is issued until the Expiry Date of a Certificate.
> 
> (new) 7.1.2.3(g) Issuance Date
> The Issuance Date of the certificate must be no more than 24 hours from
> (either before or after) the date when the CA signed the certificate.
> 
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public




More information about the Public mailing list