We have realised that, contrary to previous thinking, notAfter, at least, cannot be different between the proof request (or pre-cert as we have also called it) and the issued cert.
Why? Because if it is allowed to be different then an attacker could mis-issue a certificate, which gets revoked, wait until its validity period is over so it is dropped from the CRL, and then re-issue with a new validity period and start using it. Is this a problem for CAs? It seems, also, that it would be sensible to have the same requirement for notBefore. Is that a problem?
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
