[cabf_validation] Backing Certificates

[Aaron Gable]

Merely as a data point, Let's Encrypt / ISRG's ACME implementation
(Boulder) does not allow any forward-dating[1]. We do backdate all of our
certificates[2] a small amount (1 hour) to provide leeway for clock skew,
and separately enforce that certificates are not backdated[3] by more than
a small amount (1 hour 5 minutes).

Speaking personally: since we do allow validation re-use (for up to 398
days, as of SC42v2), it would make sense to also explicitly limit
backdating to the period in which the CA had validated the certificate
data. Because a given certificate (particularly OV or EV) may contain
multiple pieces of data which were validated at different times, the
backdating must be restricted to the period of time when *all* certificate
data was validated, not the earliest validation. And then there should be a
small (on the order of hours) grace period to account for clock skew. I
would propose something like:

Section 4.2.2, or Section 4.3.1:
CAs SHALL NOT issue Subscriber Certificates containing `notBefore` dates
earlier than 24 hours prior to the most recent time at which certificate
data was validated as per Section 3.2.

This has a few falings: I'm honestly not sure which section it better fits;
the phrasing is awkward; and it doesn't address the scenario of "I perform
this same validation every 30 days and it's always been valid for the past
year; how far back can I backdate?".

Aaron

[1]
https://github.com/letsencrypt/boulder/blob/5457680a9c8ce34d0456ccf289ed347a8529a31e/issuance/issuance.go#L328-L330
[2]
https://github.com/letsencrypt/boulder/blob/5457680a9c8ce34d0456ccf289ed347a8529a31e/ca/ca.go#L479
[3]
https://github.com/letsencrypt/boulder/blob/5457680a9c8ce34d0456ccf289ed347a8529a31e/issuance/issuance.go#L325-L327

On Thu, Apr 22, 2021 at 3:53 PM Ryan Sleevi via Validation <
validation at cabforum.org> wrote:

> Per our call today, I filed
> https://github.com/cabforum/servercert/issues/266 to track the discussion
> had around backdating certificates, both subscriber certs and CA
> certificates.
>
> Given that the concerns of backdating equally tie in to the validation of
> information, it seemed useful to have the discussion within the
> subcommittee to see if there's alignment on a path forward for
> reducing/prohibiting backdating.
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210426/f252aec2/attachment.html>