OneCRL: Distrust CAs based on issued certs' NotBefore dates

NEW
Unassigned

Status

()

Core
Security: PSM
P2
enhancement
2 months ago
2 months ago

People

(Reporter: jcj, Unassigned)

Tracking

Trunk
Future
Points:
---

Firefox Tracking Flags

(firefox59 affected)

Details

(Reporter)

Description

2 months ago
It would be helpful, when winding down a PKI, to be able to distrust a CA's actions after a certain date (as measured by the NotBefore validity field).

For example, if the "Honest Achmed's Used Cars and Certificates" CA was being disabled after 1 January 2018, an end entity issued via that hierarchy to Iskender with a notBefore date of 21 November 2017 would be trusted normally, while a certificate issued to his cousin's friend Emin with a notBefore date of February 2018 would be distrusted.
You need to log in before you can comment on or make changes to this bug.