Ban forward- and post- dating of certificates

[wthayer]

Consider requiring leaf TLS certificates to appear in a CT log within some reasonably short window of time around the notBefore date.

[sleevi]

That’s been a anti-goal of Google’s CT requirement. Organizations that are sensitive to the accidental disclosure of upcoming products would not embed SCTs, and instead use OCSP Stapling or TLS extension.

They would test within their organization prior to their announcement (e.g. using enterprise policies) and then, once announced, include the SCTs.

I do not thing CT should be the means of enforcing this policy. If a policy is created, it should be done in a way that is auditable by auditors, rather than couples to CT.

[sleevi]

I suppose I should also note that one possible way of achieving that auditable property - and ensuring clients have sufficient information - is the expression of the "earliest validation date" of the data within the certificate. Thus, even if a CA pre- or post-dates, client software will have an accurate timestamp as to when the CA most recently comprehensively validated the information expressed therein.