On 12/3/2013 3:29 AM, Rob Stradling wrote:
I can't think of any reason why a CA would need to back-date an _end-entity_ certificate. So by all means list this as a potentially problematic practice.
At Amazon, we recently had a situation where we needed to get an end entity certificate based dated to 2012.When we replaced a certificate on a publicly facing server, certain functions on a consumer electronics device stopped working.After debugging we found out that the device in question does not have an internal time and date reference.When the device initializes communication with our servers it first makes a call using HTTP over TLS to get the current date.It then uses this value to set the time for the current session duration.On this initial call, the certificate chain returned by the server is validated using the system default date of January 1, 2012.This means that a certificate issued in 2013 is seen as being in the future and is not accepted by the client on the device.We had to work with a CA to get a back-dated certificate on renewal to allow this device to continue to function as expected.
I think that it is reasonable to consider back-dating a Problematic Practice, but it is something that should be allowed for specific use cases.As long as we have embedded devices out there, we will run into corner cases requiring some gymnastics to keep things working.
Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
