`notBefore` default behavior makes spec ambiguous

[flihp]

In using the KDL to describe certs I'm realizing that we have at least one bit of default behavior that makes a lot of sense, but causes the KDL spec to be incomplete. This is the notBefore field in the Validity sequence, within the TBSCertificate sequence. Currently if it's not provided the system time is used.

This is the behavior we want, but it makes the spec incomplete. Ideally I'd be able to hand the KDL spec to someone and they'd be able to unambiguously turn it into an x509 cert. It may be that they simply need to understand this expected default behavior but I'd prefer the spec reflect this behavior explicitly.

[flihp]

this could be as trivial as adding a special case for the optional string. Something like "SystemTime" or "CurrentTime" could be detected here and instead of trying to turn the string into a DateTime directly we make one from SystemTime like the None arm of the match.