> -----Original Message----- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, January 24, 2018 7:00 AM > To: Doug Beattie <doug.beat...@globalsign.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: GlobalSign certificate with far-future notBefore > > Hi Doug, > > Thanks for the quick response. > > On 24/01/18 11:52, Doug Beattie wrote: > > In the case below, the customer ordered a 39 month certificate and set > > the notBefore date for 2 months into the future. > > Momentary 2017/2018 confusion in my brain had me thinking that this was > further into the future than it actually was. But yet still, it is the other > side of a > reduction in certificate lifetime deadline. > > > We permit customers to set a notBefore date into the future, possibly > > for the reason listed below, but there could be other reasons. > > So if a customer came to you today and renewed their certificate for > www.example.com with validity from 24th Jan 2017 to 24th Apr 2020 > (perfectly fine), and then requested a second 39-month certificate valid from > 24th Apr 2020 to 24th July 2023, would you issue this second one?
No, we would not issue that certificate. In no case would we issue a certificate that has a notAfter more than 39 months from today, which is currently 24 Apr 2021. > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy