[cabfpub] Ballot proposal for Issuance Date
Peter Bowen
pzb at amzn.com
Fri Sep 23 13:48:41 UTC 2016
> On Sep 23, 2016, at 3:01 AM, Gervase Markham <gerv at mozilla.org> wrote:
>
> On 23/09/16 10:56, Erwann Abalea wrote:
>> If the certificate contains a notBefore=T, some SCTs with the latest
>> having a date=T+2 years, and a notAfter=notBefore+5 years, will this
>> certificate be BR-compliant, then?
>
> Good question. I think we should continue to measure certificate
> lifetime for BR purposes using notBefore and notAfter, because that's
> how clients measure it. Therefore, this means that if you have to
> backdate a cert for compatibility reasons, it won't last as long as it
> would otherwise. I think that's a small price to pay.
I disagree, especially given the recurring discussion about possibly shortening the allowed lifetime and the fact that it is not true today that the lifetime is defined at notAfter - notBefore. If you read the current BRs, they say:
Validity Period: The period of time measured from the date when the Certificate is issued until the Expiry Date.
Expiry Date: The “Not After” date in a Certificate that defines the end of a Certificate’s validity period.
The BRs don’t say that the “Not Before” date in a certificate is the date when the Certificate is issued.
With this proposal, we have a clear way to determine a 48 hour window in which a Certificate was issued. As long as we have high assurance that it was not issued before that window, then that window should kick off the 39-months, 27-months, or any future shorter period the BRs define.
Thanks,
Peter
More information about the Public
mailing list