[cabfpub] notBefore dates for certificates
Geoff Keating
geoffk at apple.com
Wed Aug 2 03:07:58 UTC 2017
> On 1 Aug 2017, at 6:13 pm, Peter Bowen via Public <public at cabforum.org> wrote:
>
> We’ve had an interesting situation come up that isn’t clearly covered in the BRs.
…
> So I have two questions:
> 1) Does anyone think setting a notBefore well before the issuance dates a problem, as long as the certificate includes a timestamp that represents the issuance date and the CA previously issued a certificate for the same domain name(s) to the same applicant that has a validity period that spans from the notBefore to issuance date?
I can’t immediately think of any reason not to allow this, but if you do this, please create a precertificate, upload it to CT, and put a SCT in the certificate as an indicator of the the actual time of issuance.
(I think it’s a good general rule that the more weird is the thing you’re doing, the more transparent you want to be about it.)
> 2) What is the latest acceptable notAfter date? 39 months (or 825 days in the future) from the notBefore date or from the issuance date?
From the issuance date—in the BRs, the ‘Validity Period’ runs from issuance to expiry. In fact I can’t find anything in the BRs about when the notBefore timestamp should be.
What people will actually check is the time between the SCT and the certificate expiry. Make sure that’s less than 39 months/825 days.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3321 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170801/f402f1f9/attachment-0003.p7s>
More information about the Public
mailing list