On Wed, Jan 24, 2018 at 7:05 AM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > > > -----Original Message----- > > From: Gervase Markham [mailto:g...@mozilla.org] > > Sent: Wednesday, January 24, 2018 7:00 AM > > To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: Re: GlobalSign certificate with far-future notBefore > > > > Hi Doug, > > > > Thanks for the quick response. > > > > On 24/01/18 11:52, Doug Beattie wrote: > > > In the case below, the customer ordered a 39 month certificate and set > > > the notBefore date for 2 months into the future. > > > > Momentary 2017/2018 confusion in my brain had me thinking that this was > > further into the future than it actually was. But yet still, it is the > other side of a > > reduction in certificate lifetime deadline. > > > > > We permit customers to set a notBefore date into the future, possibly > > > for the reason listed below, but there could be other reasons. > > > > So if a customer came to you today and renewed their certificate for > > www.example.com with validity from 24th Jan 2017 to 24th Apr 2020 > > (perfectly fine), and then requested a second 39-month certificate valid > from > > 24th Apr 2020 to 24th July 2023, would you issue this second one? > > No, we would not issue that certificate. In no case would we issue a > certificate that has a notAfter more than 39 months from today, which is > currently 24 Apr 2021. That’s purely a business decision, right? I couldn’t see anything in the BRs prohibiting a CA from doing this, particularly given how validation data is allowed to be reused, but I’m curious if GlobalSign reached a different decision. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy