On 24/01/2018 13:54, Ryan Sleevi wrote:
On Wed, Jan 24, 2018 at 7:05 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
-----Original Message-----
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Wednesday, January 24, 2018 7:00 AM
To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security-
pol...@lists.mozilla.org
Subject: Re: GlobalSign certificate with far-future notBefore
Hi Doug,
Thanks for the quick response.
On 24/01/18 11:52, Doug Beattie wrote:
In the case below, the customer ordered a 39 month certificate and set
the notBefore date for 2 months into the future.
Momentary 2017/2018 confusion in my brain had me thinking that this was
further into the future than it actually was. But yet still, it is the
other side of a
reduction in certificate lifetime deadline.
We permit customers to set a notBefore date into the future, possibly
for the reason listed below, but there could be other reasons.
So if a customer came to you today and renewed their certificate for
www.example.com with validity from 24th Jan 2017 to 24th Apr 2020
(perfectly fine), and then requested a second 39-month certificate valid
from
24th Apr 2020 to 24th July 2023, would you issue this second one?
No, we would not issue that certificate. In no case would we issue a
certificate that has a notAfter more than 39 months from today, which is
currently 24 Apr 2021.
That’s purely a business decision, right? I couldn’t see anything in the
BRs prohibiting a CA from doing this, particularly given how validation
data is allowed to be reused, but I’m curious if GlobalSign reached a
different decision.
The BRs make no reference to the "Not Before" date in a certificate,
which is why backdating certificates does not excuse a CA from the
rules.
BR 1.6.1 (definitions) defines "validity period" as follows
Expiry Date: The “Not After” date in a Certificate that defines the end
of a Certificate’s validity period.
Validity Period: The period of time measured from the date when the
Certificate is issued until the Expiry Date
BR 6.3.2 sets the limits on the "validity period"
So the BRs limit the time between the /actual/ date of issuance and the
"Not After" date in the certificate.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
