Thanks for correcting me on what's in the BR. It seems to me when spend so much time in this forum talking about the dates I figured this stuff was already in there. Regarding browsers checking and blocking forward dated certs, I agree and would expect that browsers would behave that way. Outside of web browsers, I wouldn't be at all surprised to find cert validation software that doesn't even bother to check the notBefore date. Even in the cases where checking is performed once that notBefore date is reached, I am free and clear to use that cert and there is nothing you can do to stop me. When you consider that "I" may or may not be the legitimate holder of that cert and "you" may or may not be the cert issuer, well you can see how bad things could happen. For example, consider when an employee leaves a company or how the NSA/GCHQ might use such certs....
On 06/12/13 14:23, [email protected] wrote:
> Peter G and Peter B are correct and the reality in the embedded world is > that if you want to provide some sort of service (https or otherwise) to > an embedded device with known limitations and a software update is not > possible, then you have play any number of games with certificates. > > But my bigger issue is that this back-dating practice hardly seems > problematic from strictly a security standpoint. It seems to me the only > real problematic aspect is that the BR says don't do it. Actually Peter (K), the BRs don't (yet) say anything about back-dating or forward-dating. Hence this thread. > That said, the practice of forward-dating is not only problematic but > actually rather dangerous for one simple reason: revocation, and the > fact that revocation can not be forced. > > If I have a cert with a notBefore date of one year from now and a > notAfter date that's two years from now, that cert is basically valid > for the next two years no matter what. That becomes a big problem if the > private key becomes compromised, for example. If the "notBefore" date is in the future, I'd expect the browser to reject the cert. Do you know of any browsers that don't behave like that? | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
