I agree with Tim on the interpretation and can confirm that my intent was as Tim described.
Perhaps the confusion is over the purpose of the <30 day exception. It wasn't to exempt legacy certificates near the end of their lifetime from being revoked. It was to allow subscribers to begin using 30-day duration certificates prior to 15-January without having to replace them on the 15th. On Wed, Nov 14, 2018 at 4:20 PM Tim Shirley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Validity period is a defined term in the BRs and refers to the time > between issuance and expiry. Since the new language uses that term without > any modifiers like "remaining", it seems clear to me that both of those > example certificates would need to be revoked. > ________________________________ > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > on behalf of Bruce via dev-security-policy < > dev-security-policy@lists.mozilla.org> > Sent: Wednesday, November 14, 2018 5:37:20 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: CA Communication: Underscores in dNSNames > > Hi Wayne, I wanted to get some clarification. > > For example, let's say that a Subscriber has a 1 year certificate which > expires on 30 January 2019. On 15 January 2019, the remaining validity > period is less than 30 days; as such, I interpret that the certificate does > not have to be revoked. > > On the other hand, if the Subscriber has a 1 year certificate which > expires on 31 March 2019, then on 15 January 2019, the remaining validity > period is greater than 30 days, so this certificate must be revoked. > > Is the above interpretation correct? > > Thanks, Bruce. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > > https://scanmail.trustwave.com/?c=4062&d=qqPs2ylE2M0AE1hucuCDnbrKTL8yhgbe2AJ51iwegw&s=5&u=https%3a%2f%2flists%2emozilla%2eorg%2flistinfo%2fdev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy