Re: GlobalSign certificate with far-future notBefore

Wed, 24 Jan 2018 11:12:06 -0800 

Please also consider the practice of having an off-line CA (typically a
root) pre-issue CRLs, OCSP responses, intermediary CAs and OCSP
responder certificates for the period until the next root-key-usage
ceremony.

This practice will naturally involve forward-dating of all of these
items.

On 24/01/2018 19:03, Tim Hollebeek wrote:

With respect to the action item, I'll add it to next week's VWG agenda.

-Tim


-----Original Message-----
From: Doug Beattie [mailto:doug.beat...@globalsign.com]
Sent: Wednesday, January 24, 2018 11:02 AM
To: Tim Hollebeek <tim.holleb...@digicert.com>; Rob Stradling
<rob.stradl...@comodo.com>; Jonathan Rudenberg
<jonat...@titanous.com>; mozilla-dev-security-policy

<mozilla-dev-security-

pol...@lists.mozilla.org>
Subject: RE: GlobalSign certificate with far-future notBefore

Can we consider this case closed with the action that the VWG will propose

a

ballot that addresses pre and postdating certificates?

Doug


-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-
bounces+doug.beattie=globalsign....@lists.mozilla.org] On Behalf Of
bounces+Tim
Hollebeek via dev-security-policy
Sent: Wednesday, January 24, 2018 11:49 AM
To: Rob Stradling <rob.stradl...@comodo.com>; Jonathan Rudenberg
<jonat...@titanous.com>; mozilla-dev-security-policy
<mozilla-dev-security- pol...@lists.mozilla.org>
Subject: RE: GlobalSign certificate with far-future notBefore



This incident makes me think that two changes should be made:

1) The Root Store Policy should explicitly ban forward and
back-dating

the

notBefore date.

I think it would be reasonable and sensible to permit back-dating
insofar

as it is

deemed necessary to accommodate client-side clock-skew.


Indeed.  This was discussed at a previous Face to Face meeting, and it
was generally agreed that a requirement that the notBefore date be
within +-1 week of issuance would not be unreasonable.

The most common practice is backdating by a few days for the reason
Rob mentioned.

-Tim





Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to