Le samedi 7 décembre 2013 11:11:13 UTC+1, Peter Gutmann a écrit : > Jeremy Rowley <[email protected]> writes: > >I think this is a good idea. Per 5280, the notBefore date is used to > >indicate the start of the certificate's validity (not the date it was > >issued). Using a new optional extension for issuance date will avoid causing > >technical problems with other systems and still let Mozilla enforce the BRs.
Then we'll have another discussion on what to do against the problematic practice of backdating this extension. > Doesn't this extension already exist in the form of the privateKeyUsagePeriod? > That's actually extremely useful for limiting the exposure of a key, you set > the pKUP to when the key is active and the validFrom/To the period when you > can check e.g. a signature generated with the cert. Has this extension been de-obsoleted? It was already deprecated in RFC2459, it's not even present in RFC5280 anymore. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
