[Smcwg-public] Backdating S/MIME revocations

Martijn Katerbarg martijn.katerbarg at sectigo.com
Wed Oct 4 14:39:31 UTC 2023 

On the back of this, and the discussion that was held during the last call, I’ve created a proposed language update to address this. Please find this available for discussion at https://github.com/cabforum/smime/pull/217 <https://github.com/cabforum/smime/pull/217> 

Regards,

Martijn 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> on behalf of Martijn Katerbarg via Smcwg-public <smcwg-public at cabforum.org>
Date: Wednesday, 20 September 2023 at 11:26
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Backdating S/MIME revocations 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 


Hi all, 

Within our compliance team, we recently had a discussion around the way we handle revocation dates. 

Code Signing certificates, CAs are required to keep the time encoded in the InvalidityDate extension and revocationDate field the same. Additionally, if a CA deems that a historic date should be set, for example due to a key compromise having occurred a while ago, CAs are required to backdate the value. 

For TLS Certificates, CAs should set the revocationDate value for the date and time when revocation occurred, however, CAs are allowed to backdate if deemed appropriate. 

Both of these documents state that this is a deviation/exception to best practices described in RFC5280. 

However when we look at the SBRs, we could not find any such language that would clarify if and when backdating is allowed. I’m wondering if there’s been any discussion in the past around this, if this was left out on purpose, or if we missed this? 

Likewise, I’m wondering how other issuers and consumers look at this, and if we want to add some clarifying language in the SBRs. I’m inclined to say that backdating revocation is something we should be supporting. 

Regards,

Martijn 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231004/06527107/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20231004/06527107/attachment-0001.bin>

More information about the Smcwg-public mailing list