Re: GlobalSign certificate with far-future notBefore

On Wednesday, 24 January 2018 06:55:55 UTC+8, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > > https://crt.sh/?id=3

Re: GlobalSign certificate with far-future notBefore

On 24/01/18 18:02, Doug Beattie wrote: > Can we consider this case closed with the action that the VWG will > propose a ballot that addresses pre and postdating certificates? Yes. I don't believe anyone has suggested that Globalsign broke a formal rule, either in the BRs or Mozilla's requirements.

RE: GlobalSign certificate with far-future notBefore

ev-security-pol...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-future notBefore > > Please also consider the practice of having an off-line CA (typically a > root) pre-issue CRLs, OCSP responses, intermediary CAs and OCSP responder > certificates for the perio

Re: GlobalSign certificate with far-future notBefore

Rudenberg ; mozilla-dev-security-policy pol...@lists.mozilla.org> Subject: RE: GlobalSign certificate with far-future notBefore Can we consider this case closed with the action that the VWG will propose a ballot that addresses pre and postdating certificates? Doug -Original Message--

Re: GlobalSign certificate with far-future notBefore

eattie ; mozilla-dev-security- pol...@lists.mozilla.org Subject: Re: GlobalSign certificate with far-future notBefore Hi Doug, Thanks for the quick response. On 24/01/18 11:52, Doug Beattie wrote: In the case below, the customer ordered a 39 month certificate and set the notBefore date for 2

RE: GlobalSign certificate with far-future notBefore

> ; mozilla-dev-security-policy pol...@lists.mozilla.org> > Subject: RE: GlobalSign certificate with far-future notBefore > > Can we consider this case closed with the action that the VWG will propose a > ballot that addresses pre and postdating certificates? > > Doug > &

RE: GlobalSign certificate with far-future notBefore

Behalf Of Tim > Hollebeek via dev-security-policy > Sent: Wednesday, January 24, 2018 11:49 AM > To: Rob Stradling ; Jonathan Rudenberg > ; mozilla-dev-security-policy pol...@lists.mozilla.org> > Subject: RE: GlobalSign certificate with far-future notBefore > > > >

RE: GlobalSign certificate with far-future notBefore

> > This incident makes me think that two changes should be made: > > > > 1) The Root Store Policy should explicitly ban forward and back-dating the > notBefore date. > > I think it would be reasonable and sensible to permit back-dating insofar as it is > deemed necessary to accommodate client-si

Re: GlobalSign certificate with far-future notBefore

Ross ; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: Re: GlobalSign certificate with far-future notBefore > > > > On 24/01/18 04:57, David E. Ross wrote: > > > I am not sure about prohibiting forward-dating the notBefore date. I > >

Re: GlobalSign certificate with far-future notBefore

Doug Beattie ; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: Re: GlobalSign certificate with far-future notBefore > > > > Hi Doug, > > > > Thanks for the quick response. > > > > On 24/01/18 11:52, Doug Beattie wrote: > > > In

RE: GlobalSign certificate with far-future notBefore

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, January 24, 2018 7:00 AM > To: Doug Beattie ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-future notBefore > > Hi Doug, &

Re: GlobalSign certificate with far-future notBefore

Hi Doug, Thanks for the quick response. On 24/01/18 11:52, Doug Beattie wrote: > In the case below, the customer ordered a 39 month certificate and > set the notBefore date for 2 months into the future. Momentary 2017/2018 confusion in my brain had me thinking that this was further into the futu

RE: GlobalSign certificate with far-future notBefore

org] On Behalf Of Gervase > Markham via dev-security-policy > Sent: Wednesday, January 24, 2018 5:05 AM > To: David E. Ross ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-future notBefore > > On 24/01/18 04:57, David E. Ross wrote: &

Re: GlobalSign certificate with far-future notBefore

On 23/01/18 22:55, Jonathan Rudenberg via dev-security-policy wrote: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date This incident makes me think that two changes should be made: 1) The Root Store Policy should explicitly ban forward and back-dating

Re: GlobalSign certificate with far-future notBefore

On 24/01/18 04:57, David E. Ross wrote: > I am not sure about prohibiting forward-dating the notBefore date. I > can picture a situation where an existing site certificate is going to > expire. The site's administration decides to obtain a new certificate > from a different certification authorit

Re: GlobalSign certificate with far-future notBefore

Hi Jonathan, On 23/01/18 22:55, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). Thank you for pointing this out. This

Re: GlobalSign certificate with far-future notBefore

On 1/23/2018 2:55 PM, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > > https://crt.sh/?id=311477948&opt=zlint > > C

GlobalSign certificate with far-future notBefore

A certificate issued by GlobalSign showed up in CT today with a notBefore date of March 21, 2018 and a notAfter date of April 23, 2021, a validity period of ~1129 days (more than three years). https://crt.sh/?id=311477948&opt=zlint CA/B Forum ballot 193 modified the Baseline Requirements to set