Establish CRL "backdating" expectations #648
Description
A recently filed Incident Report highlighted the TLS BRs makes no stipulation regarding CRL backdating.
This issue was raised because two CA Owner's were identified issuing CRLs containing revoked certificate entries with a revocationDate after the thisUpdate field, which triggers this ZLint lint.
As described in the lint:
* The thisUpdate field in a CRL indicates the time at which the CRL was issued.
* For each entry in the revokedCertificates list within the CRL, there is a
* revocationDate field. This revocationDate signifies when the certificate was revoked.
* Logically, a certificate cannot be listed as revoked on a CRL with a revocationDate
* that is after the thisUpdate of that CRL, because thisUpdate marks the point
* in time that the information in the CRL is considered valid. If a revocation
* happened after the CRL was issued, it would appear on a subsequent CRL.
IMO, CRL backdating makes less sense than Certificate backdating. Also, an undefined limit allows for practices that could go beyond compensating for clock skew. We should discuss the applicability of CRL backdating within the SCWG and either prohibit the practice or establish clearer expectations for what's permissible.
Proposal: Perhaps, if backdating is considered essential, there's an expectation that:
- It is limited to a strict threshold (e.g., less than XX minutes or hours); AND
- The
thisUpdatedate is no earlier than therevocationDateof the most recently revoked certificate contained in that CRL.
For reference, Certificate backdating appears discussed here and here.