[cabfpub] Ballot proposal for Issuance Date

Gervase Markham gerv at mozilla.org
Fri Sep 23 10:01:39 UTC 2016


On 23/09/16 10:56, Erwann Abalea wrote:
> If the certificate contains a notBefore=T, some SCTs with the latest
> having a date=T+2 years, and a notAfter=notBefore+5 years, will this
> certificate be BR-compliant, then?

Good question. I think we should continue to measure certificate
lifetime for BR purposes using notBefore and notAfter, because that's
how clients measure it. Therefore, this means that if you have to
backdate a cert for compatibility reasons, it won't last as long as it
would otherwise. I think that's a small price to pay.

> If the latest of those SCTs is
> signed by a rogue CT-log, does that count? 

If it was generally trusted at the time of the SCT being issued, then yes.

> If the latest of those
> SCTs is signed by a previously « community-approved » CT-log, and
> during the validity period becomes « no longer approved », the
> validity period will then change, same questions.

No, I don't think it will change.

The goal here is to make the backdating of notBefore in certs a
transparent thing without removing the ability to do it entirely, as
that's needed for compatibility reasons. So we make doing it
not-transparently a BR violation, and document how to do is
transparently in a way which doesn't prevent compatibility-backdating.

Gerv




More information about the Public mailing list