I think this is a good idea. Per 5280, the notBefore date is used to indicate the start of the certificate's validity (not the date it was issued). Using a new optional extension for issuance date will avoid causing technical problems with other systems and still let Mozilla enforce the BRs.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Rob Stradling Sent: Friday, December 06, 2013 3:49 AM To: [email protected] Cc: Gervase Markham Subject: Re: New problematic practice On 29/11/13 09:20, Gervase Markham wrote: > Prompted by Rob Stradling, I just added the following to the > Potentially Problematic Practices page: > > ===Backdating the notBefore date=== > > Certificates do not contain an issue timestamp, Why don't we define a new, optional "Issuance Date" certificate extension? If this extension is present in a cert: Code, auditors and other interested parties MUST NOT treat "notBefore" as an indication of when the cert was issued. (Instead, they MAY use the date in the extension for this purpose). If this extension is not present in a cert: Code, auditors and other interested parties MAY assume that "notBefore" is a pretty good indication of when the cert was issued. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
