[cabfpub] Ballot proposal for Issuance Date

Jeremy Rowley jeremy.rowley at digicert.com
Fri Sep 23 05:03:01 UTC 2016


Ah - I was wondering if you meant a time stamp in addition to a CT time stamp or whether CT logging would qualify. In that case, why not simply require all certs be logged with a CT? Is this simply a temporary step until CT is ready for a larger scale deployment?

> On Sep 23, 2016, at 3:52 AM, Peter Bowen <pzb at amzn.com> wrote:
> 
> 
>> On Sep 22, 2016, at 4:29 PM, Ryan Sleevi <sleevi at google.com> wrote:
>> 
>> 
>> 
>> On Thu, Sep 22, 2016 at 4:24 PM, Jeremy Rowley <jeremy.rowley at digicert.com> wrote:
>> Sorry - jumped to conclusions early on when I saw the title...
>> 
>> Doesn't that make the cert bigger? Seems like a better solution to simply include an issuance time rather than another signed data structure. Companies already complain about cert size all the time.
>> 
>> Companies complain about _unnecessary_ cert size all the time (e.g. unnecessary CPS statements).
>> 
>> This has clear value for the ecosystem. And the cost is only borne in the backdating case.
> 
> And is only extra size if the cert is not already embedding a cryptographically signed timestamp.  SCTs for Certificate Transparency are a type of cryptographically signed timestamp, so any cert with them already has what is needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2241 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160923/fed18a2f/attachment-0001.p7s>


More information about the Public mailing list