On 15-Jan-19 12:31 PM, Ian Carroll via dev-security-policy wrote: > from looking at [3] I think it should be a > very negative mark against a CA to have to OneCRL one of their > intermediates.
[3] was reported and discussed three years ago. When I look at it positively today, it does remind me that it's one of the reasons for our decision to separate root CAs for SSL certificates and non-SSL certificates. As far as I know, browsers and the web PKI community now encourage or even require the separation of CAs for different usage of certificate, e.g. time stamping, code signing, S/MIME, and SSL certificates. So, if there is a web PKI standard, we are actually glad to follow. --Man Ho _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
