Am 2013-11-29 19:33, schrieb Brian Smith: > I suggest you propose it as a change to the baseline requirements.
I concur. This should not just be a problematic practice, but clearly and unmistakably prohibited (for end-entity certificates). Issuing a backdated end-entity certificate should be considered misissuance. (Possibly allowing a small, clearly defined amount of hours that certs can be backdated for technical reasons.) This is especially important if we ever implement the "Do not trust certs from CA X issued after a certain date" feature to have a response to security incidents/crappy CAs that doesn't break the web and thus solves "too big to fail". The certificate UI in Firefox explicitly calls the notBefore date "Issued on". I'd assume other programs interpret the date in a similar manner. Kind regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
