[cabfpub] Ballot proposal for Issuance Date

Peter Bowen pzb at amzn.com
Fri Sep 23 13:48:41 UTC 2016


> On Sep 23, 2016, at 3:01 AM, Gervase Markham <gerv at mozilla.org> wrote:
> 
> On 23/09/16 10:56, Erwann Abalea wrote:
>> If the certificate contains a notBefore=T, some SCTs with the latest
>> having a date=T+2 years, and a notAfter=notBefore+5 years, will this
>> certificate be BR-compliant, then?
> 
> Good question. I think we should continue to measure certificate
> lifetime for BR purposes using notBefore and notAfter, because that's
> how clients measure it. Therefore, this means that if you have to
> backdate a cert for compatibility reasons, it won't last as long as it
> would otherwise. I think that's a small price to pay.

I disagree, especially given the recurring discussion about possibly shortening the allowed lifetime and the fact that it is not true today that the lifetime is defined at notAfter - notBefore.  If you read the current BRs, they say:

	Validity Period: The period of time measured from the date when the Certificate is issued until the Expiry Date.

	Expiry Date: The “Not After” date in a Certificate that defines the end of a Certificate’s validity period.

The BRs don’t say that the “Not Before” date in a certificate is the date when the Certificate is issued.

With this proposal, we have a clear way to determine a 48 hour window in which a Certificate was issued.  As long as we have high assurance that it was not issued before that window, then that window should kick off the 39-months, 27-months, or any future shorter period the BRs define.

Thanks,
Peter


More information about the Public mailing list