[cabfpub] Ballot proposal for Issuance Date
Jeremy Rowley
jeremy.rowley at digicert.com
Tue Sep 27 17:09:11 UTC 2016
What does "included in the certificate" mean in this case? Do SCTs included
as an extension or as part of stapled OCSP response count? If not, this
proposal will force CT over to embedment only.
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rob Stradling
Sent: Friday, September 23, 2016 4:04 AM
To: Gervase Markham <gerv at mozilla.org>; Peter Bowen <pzb at amzn.com>; CABFPub
<public at cabforum.org>
Subject: Re: [cabfpub] Ballot proposal for Issuance Date
CT permits, but doesn't require, SCTs to be embedded in the cert. SCTs can
be provided via OCSP Stapling or a custom TLS extension instead.
So ISTM that we should consider defining an Issuance Time certificate
extension. It might be useful even after we reach the point that CT is
required for all publicly-trusted serverAuth certs.
On 23/09/16 09:55, Gervase Markham wrote:
> On 23/09/16 00:02, Peter Bowen wrote:
>> Definitions:
>> (new) Issuance Date: The latest of the notBefore value of a
>> certificate and the time value of any cryptographically signed
>> timestamps included in a certificate
>
> This is a clever definition because if you just have a notBefore, the
> Issuance Date is the notBefore, but if you need to fiddle the
> notBefore for compatibility reasons, you can do so by including any
> form of cryptographically signed timestamp - which can be an SCT or
> anything else you choose.
>
> We could just require CT for such certs, but this definition gives
> more flexibility. However, when CT is used everywhere, the definition
> still works without modification.
>
> So I like it :-)
>
> Gerv
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160927/aaa9c337/attachment-0001.p7s>
More information about the Public
mailing list