[cabfpub] Ballot proposal for Issuance Date

Jeremy Rowley jeremy.rowley at digicert.com
Thu Sep 22 23:24:59 UTC 2016


Sorry - jumped to conclusions early on when I saw the title...

Doesn't that make the cert bigger? Seems like a better solution to simply include an issuance time rather than another signed data structure. Companies already complain about cert size all the time.


-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com] 
Sent: Thursday, September 22, 2016 5:23 PM
To: Jeremy Rowley <jeremy.rowley at digicert.com>
Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Ballot proposal for Issuance Date

Jeremy,

The Issuance Date I proposed is explicitly not the notBefore date.  If you want to put the notBefore date 30 days before when you sign the certificate, that is fine.  However you need to include a cryptographically signed timestamp in the certificate that is close to the time when you signed it.  This could be a Signed Certificate Timestamp (from CT), a RFC 3161 timestamp from a Timestamp Authority, or some other format.  This then becomes the “issuanceTime” field.

How does this conflict with RFC 5280?

Thanks,
Peter

> On Sep 22, 2016, at 4:14 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
> 
> Last time this came up, I proposed that instead of overwriting RFC 
> 5280's meaning of the notBefore date, we should include a issuanceTime 
> field that indicates the time of certificate issuance.  That way we 
> avoid conflict with the RFCs and have more flexibility with notBefore 
> to address possible clock skew issues. I still support an issuanceTime 
> field over creating a conflicting definition with the RFC.
> 
> 
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] 
> On Behalf Of Peter Bowen
> Sent: Thursday, September 22, 2016 5:02 PM
> To: CABFPub <public at cabforum.org>
> Subject: [cabfpub] Ballot proposal for Issuance Date
> 
> I would like to propose a change to cover a current gap in the BRs.  
> Right now there is no clear link from content in the certificate to 
> the date of issuance of the certificate.  I would propose the 
> following change to the BR.  Note that this intentionally only covers 
> Subscriber (End-entity) certificates, not CA certificates.
> 
> What do others think?
> 
> Definitions:
> (new) Issuance Date: The latest of the notBefore value of a 
> certificate and the time value of any cryptographically signed 
> timestamps included in a certificate
> 
> (modified) Validity Period: The period of time measured from the 
> Issuance Date of a Certificate is issued until the Expiry Date of a Certificate.
> 
> (new) 7.1.2.3(g) Issuance Date
> The Issuance Date of the certificate must be no more than 24 hours 
> from (either before or after) the date when the CA signed the certificate.
> 
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160922/0e5c3965/attachment-0001.p7s>


More information about the Public mailing list