Gervase Markham schrieb: > ===Backdating the notBefore date=== > > Certificates do not contain an issue timestamp, so it is not possible to > be certain when they were issued. The notBefore date is the start of the > certificate's validity range, and is set by the CA. It should be a > reasonable reflection of the date on which the certificate was issued. > Minor tweaking for technical compatibility reasons is accepted, but > backdating certificates in order to avoid some deadline or code-enforced > restriction is not.
Is this intended to apply also to intermediates/Sub-CAs? At least for certificate modifications that would be bad. With the current de-facto end-of-life-date for sha1-based Sub-CA certificates it can be necessary to renew signatures on existing Sub-CA certificates with sha2WithRSAEncryption with identical issuance dates/public keys. That scenario should still be allowed. I don't see a problem with transparency here. Regards, Jürgen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
