On Tue, Mar 03, 2020 at 01:53:49PM -0800, Clint Wilson wrote: > On Mar 3, 2020, at 1:41 PM, Matt Palmer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Tue, Mar 03, 2020 at 11:55:24AM -0800, Clint Wilson via > > dev-security-policy wrote: > >> For additional information, please see > >> https://support.apple.com/en-us/HT211025. > > > > I have a question regarding this part: > > > >> TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC > >> must not have a validity period greater than 398 days. > > > > How is Apple determining when a certificate was issued? That's > > traditionally been pretty tricky to determine, exactly, so I'm curious to > > know how Apple has solved it. > > This is determined using the notBefore value in the certificate; if the > notBefore value is greater than or equal to September 1, 2020 00:00 > GMT/UTC, then the updated policy will apply.
It may be worth clarifying that in the support article. Are Apple intending on taking any active steps to dissuade CAs from backdating certificates? Relatedly, does Apple have a similar stance against backdating to that of Mozilla, which lists it as a "potentially problematic practice"? - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
