On Thu, May 28, 2026 at 08:17:34AM +0000, Christer Holmberg wrote: > > > Shouldn’t you FIRST compare the validity period? Then, if equal, you > > > check the notBefore? > > > > Why? > > The text says: > > "This document specifies a tiebreaking scheme for RPs, preferring (1) > the 'more recently' issued TA certificate, (2) the TA certificate > with the shortest validity period among certificates with equal > notBefore (Section 4.6.1 of [RFC6487])," > > Assume you have 2 certificate options: > > Option A: notBefore/issued one week ago (i.e., most recent). Valid for 10 > years (I am using a large value for clarify) > Option B: notBefore/issued two weeks ago. Valid for 6 months. > > Now, if I understand correctly, the tie breaking scheme would choose Option A > , as it has a more recent notBefore - even if the validity is much longer > than B. > > Only if the netBefore/issued are identical for A and B would B be chosen, due > to shorter validity. > > Is that the wanted outcome, or have I missunderstood?
Indeed, that is the intended outcome. The algorithm design provides a deterministic selection method that Trust Anchor operators can rely on because it is standardized (well, hopefully this draft eventually is published as RFC). Note that the tiebreaker algorithm already is widely deployed. Historically, the operators of the five commonly used Trust Anchors (RIPE NCC, ARIN, LACNIC, APNIC, AfriNIC) have issue certificates with validity periods 'onwards from now on' (i.e., the notBefore of the new issuance being the wall clock time at the moment of issuance.) Consequently, the tiebreaker algorithm in RPs selecting the certificate issuance with the most recent notBefore is what discourages Trust Anchor operators from 'backdating' (read: issuing certificates with a notBefore that is less recent than the previous issuance). A certificate notBefore that is before the previous TA issuance notBefore simply will not 'take effect' in RPs. Kind regards, Job _______________________________________________ Gen-art mailing list -- [email protected] To unsubscribe send an email to [email protected]
