Last time this came up, I proposed that instead of overwriting RFC 5280's
meaning of the notBefore date, we should include a issuanceTime field that
indicates the time of certificate issuance.  That way we avoid conflict with
the RFCs and have more flexibility with notBefore to address possible clock
skew issues. I still support an issuanceTime field over creating a
conflicting definition with the RFC.

-----Original Message-----
From: [] On
Behalf Of Peter Bowen
Sent: Thursday, September 22, 2016 5:02 PM
To: CABFPub <>
Subject: [cabfpub] Ballot proposal for Issuance Date

I would like to propose a change to cover a current gap in the BRs.  Right
now there is no clear link from content in the certificate to the date of
issuance of the certificate.  I would propose the following change to the
BR.  Note that this intentionally only covers Subscriber (End-entity)
certificates, not CA certificates.

What do others think?

(new) Issuance Date: The latest of the notBefore value of a certificate and
the time value of any cryptographically signed timestamps included in a

(modified) Validity Period: The period of time measured from the Issuance
Date of a Certificate is issued until the Expiry Date of a Certificate.

(new) Issuance Date
The Issuance Date of the certificate must be no more than 24 hours from
(either before or after) the date when the CA signed the certificate.

Public mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Public mailing list

Reply via email to