[cabfpub] Ballot proposal for Issuance Date
Erwann Abalea
Erwann.Abalea at docusign.com
Fri Sep 23 09:56:19 UTC 2016
Bonjour,
Some thoughts.
If the certificate contains a notBefore=T, some SCTs with the latest having a date=T+2 years, and a notAfter=notBefore+5 years, will this certificate be BR-compliant, then?
If the latest of those SCTs is signed by a rogue CT-log, does that count?
If the latest of those SCTs is signed by a previously « community-approved » CT-log, and during the validity period becomes « no longer approved », the validity period will then change, same questions.
Cordialement,
Erwann Abalea
> Le 23 sept. 2016 à 01:02, Peter Bowen <pzb at amzn.com> a écrit :
>
> I would like to propose a change to cover a current gap in the BRs. Right now there is no clear link from content in the certificate to the date of issuance of the certificate. I would propose the following change to the BR. Note that this intentionally only covers Subscriber (End-entity) certificates, not CA certificates.
>
> What do others think?
>
> Definitions:
> (new) Issuance Date: The latest of the notBefore value of a certificate and the time value of any cryptographically signed timestamps included in a certificate
>
> (modified) Validity Period: The period of time measured from the Issuance Date of a Certificate is issued until the Expiry Date of a Certificate.
>
> (new) 7.1.2.3(g) Issuance Date
> The Issuance Date of the certificate must be no more than 24 hours from (either before or after) the date when the CA signed the certificate.
>
> Thanks,
> Peter
More information about the Public
mailing list