Robin Alden wrote: >> Issuing >> long-lived DV certs and wildcard DV certs may be particular practices >> worth our having some formal positions on, even if they're not >> addressed >> by our official policy. > [Robin said...] > There I have to disagree to some degree. > You have a policy which tells us what we must do to qualify for root > inclusion. > Are you saying that you have some other things which aren't in the policy > which we must do too?
No. I'm simply stating that there are CA-related issues which may not warrant us having a formal policy on, but which we may have an opinion on that we want to express. To take another example: our policy doesn't address the issue of whether CAs issue end entity certs directly from roots as a standard practice, as opposed to having roots issue CA certs to subordinates and then having the subordinates issue end entity certs. Some people think that root private keys should always be stored offline, and that it's a bad practice from a security standpoint to use them in conjunction with an online cert-issuing operation, even if the root key is on a hardware device. I don't see us making it a formal condition of our policy that CAs use only offline roots, and rejecting CAs that issue end entity certs directly from roots. However it's quite possible that we may want to publicly encourage CAs to migrate to use of offline roots, and perhaps to maintain publicly available information on which CAs issue directly from roots and which don't. We can also of course do such lobbying within groups like the CAB Forum, and we will. However I don't believe that precludes our discussing and taking positions on these issues in the context of our public forums and web sites. Frank _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto