[cabfpub] Durations

Peter Bowen pzb at amzn.com
Sun Feb 5 05:33:28 UTC 2017


I would expect that a human vetter would be told “13 months” or even better “one year and one month”, which are great explanations for people.  It seems completely reasonable to put a note in the requirement for 398 days that says something like “approximately 13 months” as a guide to how the number was reached.

However, as I’m sure you know from talking with auditors, requirements with broad durations such as “each year” or “once per year” have surprising compliance interpretations.  For both of those, it would probably be compliant to do the action on 1 Jan 2016 and again on 31 December 2017 and meet that requirement.  Almost two years have elapsed between them but it was done once in 2016 and once in 2017, meeting the requirement.

I don’t want to be in a position of surprising recipients of audit reports who are expecting something different than what is actually required.


> On Feb 4, 2017, at 1:16 PM, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> Peter - don't you think "13 months" already encompasses all cases like what you show below (start date and end date 13 months apart based on the dates themselves, even if that means the number of days varies a little), and will encompass all situations, like when the 13th month has 28, 29, 30 or 31 days?  
> I think it's easier for humans to calculate when 13 months ends (in an easy human readable form), instead of making humans calculate when a period of 398 days ends.  (Let's see, if the start date is Feb. 1, the end date is, what, March 3 or March 4?  But if the start date is March 1, the end date is March 30 or March 31?  But what about Leap Year?  And what about months that only have 30 days?)
> I just think going to days instead of months could lead to human errors and a little lack of clarity, especially for vetters.
> -----Original Message-----
> From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen via Public
> Sent: Saturday, February 4, 2017 12:12 PM
> To: CA/Browser Forum Public Discussion List <public at cabforum.org>
> Cc: Peter Bowen <pzb at amzn.com>
> Subject: [cabfpub] Durations
> I’ve been trying to calculate the potential impact of various recent proposals by looking at existing known certificates.  One thing that has become very obvious is that durations in units of whole “years” or “months” are actually really hard to calculate.  Consider a certificate with notBefore of 2016-07-31 00:00:00 +0000 and notAfter of 2017-08-31 23:59:59 +0000.  This is, at least to me, pretty clearly a 13 month duration.  It is also 34300799 seconds, which works out to 396.9999884 days, which is longer than the obvious definition of 13 months.
> As people are drafting ballots, can you please consider specifying intervals in days and using the maximum case for the interval (assuming leap years, long months, leap seconds, rounding etc)?  For example, if you want to specify 13 months, please consider using 366 + 31 + 1 = 398 days.
> Thanks,
> Peter
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list