Re: GlobalSign certificate with far-future notBefore

On Wednesday, 24 January 2018 06:55:55 UTC+8, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > >

Re: GlobalSign certificate with far-future notBefore

On 24/01/18 18:02, Doug Beattie wrote: > Can we consider this case closed with the action that the VWG will > propose a ballot that addresses pre and postdating certificates? Yes. I don't believe anyone has suggested that Globalsign broke a formal rule, either in the BRs or Mozilla's

RE: GlobalSign certificate with far-future notBefore

...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-future notBefore > > Please also consider the practice of having an off-line CA (typically a > root) pre-issue CRLs, OCSP responses, intermediary CAs and OCSP responder > certificates for the period un

Re: GlobalSign certificate with far-future notBefore

eattie <doug.beat...@globalsign.com>; mozilla-dev-security- pol...@lists.mozilla.org Subject: Re: GlobalSign certificate with far-future notBefore Hi Doug, Thanks for the quick response. On 24/01/18 11:52, Doug Beattie wrote: In the case below, the customer ordered a 39 month certifi

RE: GlobalSign certificate with far-future notBefore

ling > <rob.stradl...@comodo.com>; Jonathan Rudenberg > <jonat...@titanous.com>; mozilla-dev-security-policy pol...@lists.mozilla.org> > Subject: RE: GlobalSign certificate with far-future notBefore > > Can we consider this case closed with the action that the VWG will prop

RE: GlobalSign certificate with far-future notBefore

On Behalf Of Tim > Hollebeek via dev-security-policy > Sent: Wednesday, January 24, 2018 11:49 AM > To: Rob Stradling <rob.stradl...@comodo.com>; Jonathan Rudenberg > <jonat...@titanous.com>; mozilla-dev-security-policy pol...@lists.mozilla.org> > Subject: RE: GlobalSig

RE: GlobalSign certificate with far-future notBefore

> > This incident makes me think that two changes should be made: > > > > 1) The Root Store Policy should explicitly ban forward and back-dating the > notBefore date. > > I think it would be reasonable and sensible to permit back-dating insofar as it is > deemed necessary to accommodate

Re: GlobalSign certificate with far-future notBefore

nobody@nowhere.invalid>; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: Re: GlobalSign certificate with far-future notBefore > > > > On 24/01/18 04:57, David E. Ross wrote: > > > I am not sure about prohibiting forward-dating the notBefore date.

Re: GlobalSign certificate with far-future notBefore

gt; > To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security- > > pol...@lists.mozilla.org > > Subject: Re: GlobalSign certificate with far-future notBefore > > > > Hi Doug, > > > > Thanks for the quick response. > > > > On 24/01/18 11:52

RE: GlobalSign certificate with far-future notBefore

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, January 24, 2018 7:00 AM > To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-

Re: GlobalSign certificate with far-future notBefore

Hi Doug, Thanks for the quick response. On 24/01/18 11:52, Doug Beattie wrote: > In the case below, the customer ordered a 39 month certificate and > set the notBefore date for 2 months into the future. Momentary 2017/2018 confusion in my brain had me thinking that this was further into the

RE: GlobalSign certificate with far-future notBefore

rvase > Markham via dev-security-policy > Sent: Wednesday, January 24, 2018 5:05 AM > To: David E. Ross <nobody@nowhere.invalid>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-future notBefore > > On 24/01/18 04:57, David

Re: GlobalSign certificate with far-future notBefore

On 23/01/18 22:55, Jonathan Rudenberg via dev-security-policy wrote: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date This incident makes me think that two changes should be made: 1) The Root Store Policy should explicitly ban forward and

Re: GlobalSign certificate with far-future notBefore

On 24/01/18 04:57, David E. Ross wrote: > I am not sure about prohibiting forward-dating the notBefore date. I > can picture a situation where an existing site certificate is going to > expire. The site's administration decides to obtain a new certificate > from a different certification

Re: GlobalSign certificate with far-future notBefore

Hi Jonathan, On 23/01/18 22:55, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). Thank you for pointing this out. This

Re: GlobalSign certificate with far-future notBefore

On 1/23/2018 2:55 PM, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > > https://crt.sh/?id=311477948=zlint > > CA/B