> > This incident makes me think that two changes should be made: > > > > 1) The Root Store Policy should explicitly ban forward and back-dating the > notBefore date. > > I think it would be reasonable and sensible to permit back-dating insofar as it is > deemed necessary to accommodate client-side clock-skew.
Indeed. This was discussed at a previous Face to Face meeting, and it was generally agreed that a requirement that the notBefore date be within +-1 week of issuance would not be unreasonable. The most common practice is backdating by a few days for the reason Rob mentioned. -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy