Ben Bucksch wrote: > If we decide that a CA does not operate properly,.but we don't want to > cause problems for users, another option would be to shorten the expiry > date of the relevant root certs to one year or less. > > Technically, that should be possible. The cert is public anyways.
But the accompanying private key is (hopefully) not public. Please, we shouldn't mess around with PKIX cert validation mechs. Just removing the trust flags is sufficient. > This would mean that users could continue to browse normally, including > SSL verification. Website owners would have one year (or less) time to > get certs from another CA, which does proper verifications. We restore > proper functioning of the system within one year (or less). I see no problem the schedule the removal of a trust flag. For security reasons all users have to update browsers from time to time anyway. ;-} Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
