In using the KDL to describe certs I'm realizing that we have at least one bit of default behavior that makes a lot of sense, but causes the KDL spec to be incomplete. This is the notBefore field in the Validity sequence, within the TBSCertificate sequence. Currently if it's not provided the system time is used.
This is the behavior we want, but it makes the spec incomplete. Ideally I'd be able to hand the KDL spec to someone and they'd be able to unambiguously turn it into an x509 cert. It may be that they simply need to understand this expected default behavior but I'd prefer the spec reflect this behavior explicitly.
In using the KDL to describe certs I'm realizing that we have at least one bit of default behavior that makes a lot of sense, but causes the KDL spec to be incomplete. This is the
notBeforefield in theValiditysequence, within theTBSCertificatesequence. Currently if it's not provided the system time is used.This is the behavior we want, but it makes the spec incomplete. Ideally I'd be able to hand the KDL spec to someone and they'd be able to unambiguously turn it into an x509 cert. It may be that they simply need to understand this expected default behavior but I'd prefer the spec reflect this behavior explicitly.