The Issuance Date I proposed is explicitly not the notBefore date. If you want
to put the notBefore date 30 days before when you sign the certificate, that is
fine. However you need to include a cryptographically signed timestamp in the
certificate that is close to the time when you signed it. This could be a
Signed Certificate Timestamp (from CT), a RFC 3161 timestamp from a Timestamp
Authority, or some other format. This then becomes the “issuanceTime” field.
How does this conflict with RFC 5280?
> On Sep 22, 2016, at 4:14 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote:
> Last time this came up, I proposed that instead of overwriting RFC 5280's
> meaning of the notBefore date, we should include a issuanceTime field that
> indicates the time of certificate issuance. That way we avoid conflict with
> the RFCs and have more flexibility with notBefore to address possible clock
> skew issues. I still support an issuanceTime field over creating a
> conflicting definition with the RFC.
> -----Original Message-----
> From: public-boun...@cabforum.org [mailto:public-boun...@cabforum.org] On
> Behalf Of Peter Bowen
> Sent: Thursday, September 22, 2016 5:02 PM
> To: CABFPub <firstname.lastname@example.org>
> Subject: [cabfpub] Ballot proposal for Issuance Date
> I would like to propose a change to cover a current gap in the BRs. Right
> now there is no clear link from content in the certificate to the date of
> issuance of the certificate. I would propose the following change to the
> BR. Note that this intentionally only covers Subscriber (End-entity)
> certificates, not CA certificates.
> What do others think?
> (new) Issuance Date: The latest of the notBefore value of a certificate and
> the time value of any cryptographically signed timestamps included in a
> (modified) Validity Period: The period of time measured from the Issuance
> Date of a Certificate is issued until the Expiry Date of a Certificate.
> (new) 188.8.131.52(g) Issuance Date
> The Issuance Date of the certificate must be no more than 24 hours from
> (either before or after) the date when the CA signed the certificate.
> Public mailing list
Public mailing list