On 05/16/2017 08:40 AM, Rob Stradling wrote: > On 16/05/17 13:24, Michael Casadevall via dev-security-policy wrote: > <snip> >> Just spitballing ideas here, but in Alex's case, part of me would be >> tempted to see if X509 could be extended with a new "CanIssueUntil" >> field. Basically, it would act as an off switch for CA:TRUE after a >> given date, but certificates signed before that would still be valid for >> that root, and then can be wound down beyond that point. > > That sounds like the "Private Key Usage Period" extension, which was > present in RFC3280 but removed in RFC5280. > > https://tools.ietf.org/html/rfc3280#section-4.2.1.4 >
I learned something new today. I'm about to run out the door right now so I can't read the RFCs but do you know off the top of your head why that was removed? Michael _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy