Stage the restriction on the Validity Period.

The first cutoff is shortly after Chrome 74 is expected to reach stable. The second cutoff is 3 months later, approximately when Chrome 76 is expected to reach stable.
WICG · Feb 6, 2019 · c146253 · c146253
1 parent 4500087
commit c146253
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/draft-yasskin-http-origin-signed-responses.md b/draft-yasskin-http-origin-signed-responses.md
@@ -990,6 +990,15 @@ extension. This OID might or might not be used as the final OID for the
 extension, so certificates including it might need to be reissued once the final
 RFC is published.
 
+Some certificates have already been issued with this extension and with validity
+periods longer than 90 days. These certificates will not immediately be treated
+as invalid. Instead:
+
+* Clients MUST reject certificates with this extension that were issued after
+  2019-05-01 and have a Validity Period longer than 90 days.
+* After 2019-08-01, clients MUST reject all certificates with this extension
+  that have a Validity Period longer than 90 days.
+
 ### Extensions to the CAA Record: cansignhttpexchanges Parameter {#caa-cansignhttpexchanges}
 
 A CAA parameter "cansignhttpexchanges" is defined for the "issue" and