With respect to the action item, I'll add it to next week's VWG agenda. -Tim
> -----Original Message----- > From: Doug Beattie [mailto:doug.beat...@globalsign.com] > Sent: Wednesday, January 24, 2018 11:02 AM > To: Tim Hollebeek <tim.holleb...@digicert.com>; Rob Stradling > <rob.stradl...@comodo.com>; Jonathan Rudenberg > <jonat...@titanous.com>; mozilla-dev-security-policy <mozilla-dev-security- > pol...@lists.mozilla.org> > Subject: RE: GlobalSign certificate with far-future notBefore > > Can we consider this case closed with the action that the VWG will propose a > ballot that addresses pre and postdating certificates? > > Doug > > > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy- > > bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of > > bounces+Tim > > Hollebeek via dev-security-policy > > Sent: Wednesday, January 24, 2018 11:49 AM > > To: Rob Stradling <rob.stradl...@comodo.com>; Jonathan Rudenberg > > <jonat...@titanous.com>; mozilla-dev-security-policy > > <mozilla-dev-security- pol...@lists.mozilla.org> > > Subject: RE: GlobalSign certificate with far-future notBefore > > > > > > > > This incident makes me think that two changes should be made: > > > > > > > > 1) The Root Store Policy should explicitly ban forward and > > > > back-dating > > the > > > notBefore date. > > > > > > I think it would be reasonable and sensible to permit back-dating > > > insofar > > as it is > > > deemed necessary to accommodate client-side clock-skew. > > > > Indeed. This was discussed at a previous Face to Face meeting, and it > > was generally agreed that a requirement that the notBefore date be > > within +-1 week of issuance would not be unreasonable. > > > > The most common practice is backdating by a few days for the reason > > Rob mentioned. > > > > -Tim
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy