[Smcwg-public] Backdating S/MIME revocations

Ben Wilson bwilson at mozilla.com
Mon Nov 13 22:15:58 UTC 2023


I'm also interested in how this language on Mozilla's wiki might be
supplemented with better guidance -- "Minor tweaking for technical
compatibility reasons is accepted, but backdating certificates in order to
avoid some deadline, prohibition, or code-enforced restriction is not."
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date

On Wed, Oct 4, 2023 at 8:39 AM Martijn Katerbarg via Smcwg-public <
smcwg-public at cabforum.org> wrote:

> On the back of this, and the discussion that was held during the last
> call, I’ve created a proposed language update to address this. Please find
> this available for discussion at
> https://github.com/cabforum/smime/pull/217
>
>
>
> Regards,
>
> Martijn
>
>
>
> *From: *Smcwg-public <smcwg-public-bounces at cabforum.org> on behalf of
> Martijn Katerbarg via Smcwg-public <smcwg-public at cabforum.org>
> *Date: *Wednesday, 20 September 2023 at 11:26
> *To: *SMIME Certificate Working Group <smcwg-public at cabforum.org>
> *Subject: *[Smcwg-public] Backdating S/MIME revocations
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> Hi all,
>
>
>
> Within our compliance team, we recently had a discussion around the way we
> handle revocation dates.
>
>
>
> Code Signing certificates, CAs are required to keep the time encoded in
> the InvalidityDate extension and revocationDate field the same.
> Additionally, if a CA deems that a historic date should be set, for example
> due to a key compromise having occurred a while ago, CAs are required to
> backdate the value.
>
>
>
> For TLS Certificates, CAs should set the revocationDate value for the date
> and time when revocation occurred, however, CAs are allowed to backdate if
> deemed appropriate.
>
>
>
> Both of these documents state that this is a deviation/exception to best
> practices described in RFC5280.
>
>
>
> However when we look at the SBRs, we could not find any such language that
> would clarify if and when backdating is allowed.  I’m wondering if there’s
> been any discussion in the past around this, if this was left out on
> purpose, or if we missed this?
>
>
>
> Likewise, I’m wondering how other issuers and consumers look at this, and
> if we want to add some clarifying language in the SBRs. I’m inclined to say
> that backdating revocation is something we should be supporting.
>
>
>
> Regards,
>
> Martijn
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231113/cb1a89cc/attachment-0001.html>


More information about the Smcwg-public mailing list