[cabfpub] Ballot proposal for Issuance Date
Rob Stradling
rob.stradling at comodo.com
Fri Sep 23 10:03:53 UTC 2016
CT permits, but doesn't require, SCTs to be embedded in the cert. SCTs
can be provided via OCSP Stapling or a custom TLS extension instead.
So ISTM that we should consider defining an Issuance Time certificate
extension. It might be useful even after we reach the point that CT is
required for all publicly-trusted serverAuth certs.
On 23/09/16 09:55, Gervase Markham wrote:
> On 23/09/16 00:02, Peter Bowen wrote:
>> Definitions:
>> (new) Issuance Date: The latest of the notBefore value of a certificate and the time value of any cryptographically signed timestamps included in a certificate
>
> This is a clever definition because if you just have a notBefore, the
> Issuance Date is the notBefore, but if you need to fiddle the notBefore
> for compatibility reasons, you can do so by including any form of
> cryptographically signed timestamp - which can be an SCT or anything
> else you choose.
>
> We could just require CT for such certs, but this definition gives more
> flexibility. However, when CT is used everywhere, the definition still
> works without modification.
>
> So I like it :-)
>
> Gerv
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list