On Tue, Aug 9, 2022 at 3:33 PM Rob Sayre <say...@gmail.com> wrote: > On Tue, Aug 9, 2022 at 3:15 PM Eric Rescorla <e...@rtfm.com> wrote: > >> >> >> On Mon, Aug 8, 2022 at 10:04 PM Peter Gutmann <pgut...@cs.auckland.ac.nz> >> wrote: >> >>> Hal Murray <halmurray+...@sonic.net> writes: >>> >>> >Many security schemes get tangled up with time. TLS has time limits on >>> >certificates. That presents a chicken-egg problem for NTP when getting >>> >started. >>> > >>> >I'm looking for ideas, data, references, whatever? >>> >>> For commercial CAs, the expiry time is a billing mechanism, not a >>> security >>> mechanism. >> >> >> The CABF BRs only require that revocation entries be maintained during the >> lifetime of the certificate. >> > > I'm struggling to think of a reason the IETF should consider CABF a > legitimate standards organization, but go on. >
It's not a matter of whether CABF is or is not a legitimate SDO but rather of what CA practices are, and those are governed by a combination of the BRs (incidentally Mozilla's policies [0] also specify "unexpired"). -Ekr P.S. I don't think that this tone "...but go on" is particularly helpful in this discussion. [0] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#6-revocation
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
