Last time this came up, I proposed that instead of overwriting RFC 5280's
meaning of the notBefore date, we should include a issuanceTime field that
indicates the time of certificate issuance.  That way we avoid conflict with
the RFCs and have more flexibility with notBefore to address possible clock
skew issues. I still support an issuanceTime field over creating a
conflicting definition with the RFC.


-----Original Message-----
From: public-boun...@cabforum.org [mailto:public-boun...@cabforum.org] On
Behalf Of Peter Bowen
Sent: Thursday, September 22, 2016 5:02 PM
To: CABFPub <public@cabforum.org>
Subject: [cabfpub] Ballot proposal for Issuance Date

I would like to propose a change to cover a current gap in the BRs.  Right
now there is no clear link from content in the certificate to the date of
issuance of the certificate.  I would propose the following change to the
BR.  Note that this intentionally only covers Subscriber (End-entity)
certificates, not CA certificates.

What do others think?

Definitions:
(new) Issuance Date: The latest of the notBefore value of a certificate and
the time value of any cryptographically signed timestamps included in a
certificate

(modified) Validity Period: The period of time measured from the Issuance
Date of a Certificate is issued until the Expiry Date of a Certificate.

(new) 7.1.2.3(g) Issuance Date
The Issuance Date of the certificate must be no more than 24 hours from
(either before or after) the date when the CA signed the certificate.

Thanks,
Peter
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to