Hi, > > > > Shouldn’t you FIRST compare the validity period? Then, if equal, > > > > you check the notBefore? > > > > > > Why? > > > > The text says: > > > > "This document specifies a tiebreaking scheme for RPs, preferring (1) > > the 'more recently' issued TA certificate, (2) the TA certificate > > with the shortest validity period among certificates with equal > > notBefore (Section 4.6.1 of [RFC6487])," > > > > Assume you have 2 certificate options: > > > > Option A: notBefore/issued one week ago (i.e., most recent). Valid for > > 10 years (I am using a large value for clarify) Option B: notBefore/issued > > two > weeks ago. Valid for 6 months. > > > > Now, if I understand correctly, the tie breaking scheme would choose > > Option A , as it has a more recent notBefore - even if the validity is > > much longer than B. > > > > Only if the netBefore/issued are identical for A and B would B be > > chosen, due to shorter validity. > > > > Is that the wanted outcome, or have I missunderstood? > > Indeed, that is the intended outcome.
Ok, then I get it :) >The algorithm design provides a deterministic selection method that Trust >Anchor operators can rely on >because it is standardized (well, hopefully this draft eventually is published >as RFC). >Note that the tiebreaker algorithm already is widely deployed. > >Historically, the operators of the five commonly used Trust Anchors (RIPE NCC, >ARIN, LACNIC, APNIC, AfriNIC) have issue certificates with validity periods >'onwards from now on' (i.e., the notBefore of the new issuance being the wall >clock time at the moment of issuance.) > > Consequently, the tiebreaker algorithm in RPs selecting the certificate > issuance with the most recent notBefore is what discourages Trust Anchor > operators from 'backdating' (read: issuing certificates with a notBefore that > is > less recent than the previous issuance). A certificate notBefore that is > before > the previous TA issuance notBefore simply will not 'take effect' in RPs. Thanks for the clarification! :) Regards, Christer > Kind regards, > > Job _______________________________________________ Gen-art mailing list -- [email protected] To unsubscribe send an email to [email protected]
