Skip to content

Commit

Permalink
Ballot SC-XX: Measure all hours and days to the second
Browse files Browse the repository at this point in the history 
In light of https://bugzilla.mozilla.org/show_bug.cgi?id=1865080, this ballot ensures that all readers of the BRs understand that time periods measured in days (such as validation document reuse periods, random value usage periods, and revocation timelines) are measured precisely, not in calendar days.

Notes:
- This ballot bears some similarity to Ballot SC-52, which never came to a vote.
- This ballot does not strictly define a "month", allowing infrequent tasks to continue to be executed on the same numeric day of each month, regardless of the number of days in that month.
  • Loading branch information
@aarongable
aarongable authored Dec 21, 2023
1 parent 90a98dc commit c3e928e
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions docs/BR.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -460,7 +460,7 @@ The script outputs:

**Root Certificate**: The self-signed Certificate issued by the Root CA to identify itself and to facilitate verification of Certificates issued to its Subordinate CAs.

**Short-lived Subscriber Certificate**: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days (864,000 seconds). For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days (604,800 seconds).
**Short-lived Subscriber Certificate**: For Certificates issued on or after 15 March 2024 and prior to 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 10 days. For Certificates issued on or after 15 March 2026, a Subscriber Certificate with a Validity Period less than or equal to 7 days.

**Sovereign State**: A state or country that administers its own government, and is not dependent upon, or subject to, another power.

Expand Down Expand Up @@ -595,6 +595,8 @@ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "S

By convention, this document omits time and timezones when listing effective requirements such as dates. Except when explicitly specified, the associated time with a date shall be 00:00:00 UTC.

For purposes of measuring periods of time, one hour shall be defined to be exactly 3,600 seconds, and one day shall be defined to be exactly 86,400 seconds, ignoring leap-seconds. Any amount of time greater than this, including fractional seconds, shall represent an additional unit of measure, such as an additional hour or an additional day.

# 2. PUBLICATION AND REPOSITORY RESPONSIBILITIES

The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements.
Expand Down Expand Up @@ -1332,7 +1334,7 @@ The following SHALL apply for communicating the status of Certificates which inc

OCSP responders operated by the CA SHALL support the HTTP GET method, as described in RFC 6960 and/or RFC 5019. The CA MAY process the Nonce extension (`1.3.6.1.5.5.7.48.1.2`) in accordance with RFC 8954.

The validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive. For purposes of computing differences, a difference of 3,600 seconds shall be equal to one hour, and a difference of 86,400 seconds shall be equal to one day, ignoring leap-seconds.
The validity interval of an OCSP response is the difference in time between the `thisUpdate` and `nextUpdate` field, inclusive.

For the status of Subscriber Certificates:

Expand Down Expand Up @@ -1772,7 +1774,7 @@ The CA SHALL protect its Private Key in a system or device that has been validat

Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period greater than 397 days and MUST NOT have a Validity Period greater than 398 days.

For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of time greater than this, including fractional seconds and/or leap seconds, shall represent an additional day. For this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by default, in order to account for such adjustments.
Due to the precision with which Certificate validity periods are measured, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by default, to prevent off-by-one-second errors.

## 6.4 Activation data

Expand Down

0 comments on commit c3e928e

Please sign in to comment.