[cabfpub] Short-Lived Certificate Draft Ballot

Rob Stradling rob.stradling at comodo.com
Thu Oct 8 15:34:19 MST 2015


On 08/10/15 19:51, Ryan Sleevi wrote:
> On Thu, Oct 8, 2015 at 8:19 AM, Rob Stradling wrote:
<snip>
>     So I propose this definition...
>
>         "Issuance Time: The time at which a Certificate's digital signature
>          is calculated."
>
> Seems reasonable. Glad to not be the only one who quibbles on minutiae ;)

:-)

>      > *__*
>      >
>      > _Short-Lived Certificate: A Certificate with a total validity period
>     > less than 96 hours and a notBefore time no earlier than 24 hours before
>     > the Issuance Time and a notAfter time no later than 72 hours after the
>      > Issuance Time._
>
>     "total" seems redundant.
>
> Fair point
>
>     Also, "Validity Period" is already a Defined Term.  It would make sense
>     to use it!  The current definition...
>         "Validity Period: The period of time measured from the date when the
>          Certificate is issued until the Expiry Date."
>     ...seems wrong though.  Shouldn't it be the period of time between
>     notBefore and notAfter?
>
>
> It seems the whole "total validity period less than 96 hours" is itself
> not a normative requirement, but merely serves as a descriptive language
> to make it easier to understand the following two clauses (re: 24 hours
> and 72 hours). You can't have a cert whose Validity Period is greater
> than 96 hours that meets those two definitions, so it's not necessary,
> but it does serve an illustrative point.
>
> That's me saying that it doesn't seem that your second proposed change
> is necessary, and Tim's point about why the current language is what it
> is is something I'd agree with.

RFC5280 says:
   "The validity period for a certificate is the period of time from
    notBefore through notAfter, inclusive."

In the interest of avoiding confusion, consistency would be nice.

Could we change "Validity Period" to match RFC5280, and then define a 
new term(*) that means "from Issuance Time to Expiry Date, inclusive"?

(*) How about "Certificate Usage Period" ?
(Inspired by RFC2459 section 4.2.1.4)

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online


More information about the Public mailing list