On 21/08/17 06:20, Peter Kurrasch wrote: > The CA should decide what makes the most sense for their particular > situation, but I think they should be able to provide assurances that > only BR-compliant certs will ever chain to any roots they submit to the > Mozilla root inclusion program.
So you are suggesting that we should state the goal, and let the CA work out how to achieve it? That makes sense. I agree with Nick that transparency is important. Is there room for an assessment of risk, or do we need a blanket statement? If, say, a CA used short serials up until 2 years ago but has since ceased the practice, we might say that's not sufficiently risky for them to have to stand up and migrate to a new cross-signed root. I agree that becomes subjective. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
