On Fri, Apr 20, 2018 at 01:30:49PM +0000, Tim Shirley via dev-security-policy wrote: > This is why I'm not a fan of such precise enforcements of date-related > compliance. There are a lot of different ways to interpret dates/times, > but none of the readings materially change the net effect of the rule. > That is, all readings change the max validity period to ~825 days (which > itself is subject to debate as to its precise meaning in terms of seconds) > within a day or two of each other. So, enforcing the date as Mar 1 as > opposed to Mar 2 doesn't seem to add a lot of value and leads to confusion > like this.
Same thing goes the other way, though -- CAs trying to skate too close to the line to extract maximum "value" out of the old rules also doesn't add a lot of value, and leads to confusion like this. If the CA had decided to not issue certificates over 825 days after, say, Feb 25, there wouldn't have been any confusion either. Exact same reasoning applies to bumping up against the ambiguity of the 825 day limit -- if a CA wants to avoid any possibility of confusion, they can just be conservative in what they send, and not issue certificates over, say, 820 days in length. Live life on the edge, and you're going to fall off now and then. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
