On 12/5/2013 7:29 PM, Peter Bowen wrote: > > On 12/3/2013 3:29 AM, Rob Stradling wrote: >> I can't think of any reason why a CA would need to back-date an >> _end-entity_ certificate. So by all means list this as a potentially >> problematic practice. > > At Amazon, we recently had a situation where we needed to get an end > entity certificate based dated to 2012.When we replaced a certificate on > a publicly facing server, certain functions on a consumer electronics > device stopped working.After debugging we found out that the device in > question does not have an internal time and date reference.When the > device initializes communication with our servers it first makes a call > using HTTP over TLS to get the current date.It then uses this value to > set the time for the current session duration.On this initial call, the > certificate chain returned by the server is validated using the system > default date of January 1, 2012.This means that a certificate issued in > 2013 is seen as being in the future and is not accepted by the client on > the device.We had to work with a CA to get a back-dated certificate on > renewal to allow this device to continue to function as expected. > > I think that it is reasonable to consider back-dating a Problematic > Practice, but it is something that should be allowed for specific use > cases.As long as we have embedded devices out there, we will run into > corner cases requiring some gymnastics to keep things working. > > Thanks, > > Peter > >
You have a very buggy "consumer electronics device" that should be replaced by the manufacturer. If this is a product Amazon is selling, Amazon should stop selling it and offer refunds to all customers who return it. -- David E. Ross <http://www.rossde.com/> Where does your elected official stand? Which politicians refuse to tell us where they stand? See the non-partisan Project Vote Smart at <http://votesmart.org/>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
