Can we consider this case closed with the action that the VWG will propose a ballot that addresses pre and postdating certificates?
Doug > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of Tim > Hollebeek via dev-security-policy > Sent: Wednesday, January 24, 2018 11:49 AM > To: Rob Stradling <rob.stradl...@comodo.com>; Jonathan Rudenberg > <jonat...@titanous.com>; mozilla-dev-security-policy <mozilla-dev-security- > pol...@lists.mozilla.org> > Subject: RE: GlobalSign certificate with far-future notBefore > > > > > This incident makes me think that two changes should be made: > > > > > > 1) The Root Store Policy should explicitly ban forward and > > > back-dating > the > > notBefore date. > > > > I think it would be reasonable and sensible to permit back-dating > > insofar > as it is > > deemed necessary to accommodate client-side clock-skew. > > Indeed. This was discussed at a previous Face to Face meeting, and it was > generally agreed that a requirement that the notBefore date be within +-1 > week of issuance would not be unreasonable. > > The most common practice is backdating by a few days for the reason Rob > mentioned. > > -Tim _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy