Sorry - jumped to conclusions early on when I saw the title...

Doesn't that make the cert bigger? Seems like a better solution to simply 
include an issuance time rather than another signed data structure. Companies 
already complain about cert size all the time.


-----Original Message-----
From: Peter Bowen [mailto:p...@amzn.com] 
Sent: Thursday, September 22, 2016 5:23 PM
To: Jeremy Rowley <jeremy.row...@digicert.com>
Cc: CABFPub <public@cabforum.org>
Subject: Re: [cabfpub] Ballot proposal for Issuance Date

Jeremy,

The Issuance Date I proposed is explicitly not the notBefore date.  If you want 
to put the notBefore date 30 days before when you sign the certificate, that is 
fine.  However you need to include a cryptographically signed timestamp in the 
certificate that is close to the time when you signed it.  This could be a 
Signed Certificate Timestamp (from CT), a RFC 3161 timestamp from a Timestamp 
Authority, or some other format.  This then becomes the “issuanceTime” field.

How does this conflict with RFC 5280?

Thanks,
Peter

> On Sep 22, 2016, at 4:14 PM, Jeremy Rowley <jeremy.row...@digicert.com> wrote:
> 
> Last time this came up, I proposed that instead of overwriting RFC 
> 5280's meaning of the notBefore date, we should include a issuanceTime 
> field that indicates the time of certificate issuance.  That way we 
> avoid conflict with the RFCs and have more flexibility with notBefore 
> to address possible clock skew issues. I still support an issuanceTime 
> field over creating a conflicting definition with the RFC.
> 
> 
> -----Original Message-----
> From: public-boun...@cabforum.org [mailto:public-boun...@cabforum.org] 
> On Behalf Of Peter Bowen
> Sent: Thursday, September 22, 2016 5:02 PM
> To: CABFPub <public@cabforum.org>
> Subject: [cabfpub] Ballot proposal for Issuance Date
> 
> I would like to propose a change to cover a current gap in the BRs.  
> Right now there is no clear link from content in the certificate to 
> the date of issuance of the certificate.  I would propose the 
> following change to the BR.  Note that this intentionally only covers 
> Subscriber (End-entity) certificates, not CA certificates.
> 
> What do others think?
> 
> Definitions:
> (new) Issuance Date: The latest of the notBefore value of a 
> certificate and the time value of any cryptographically signed 
> timestamps included in a certificate
> 
> (modified) Validity Period: The period of time measured from the 
> Issuance Date of a Certificate is issued until the Expiry Date of a 
> Certificate.
> 
> (new) 7.1.2.3(g) Issuance Date
> The Issuance Date of the certificate must be no more than 24 hours 
> from (either before or after) the date when the CA signed the certificate.
> 
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to