On Wed, Dec 11, 2013 at 2:08 AM, Kathleen Wilson <[email protected]> wrote: > Additionally, this CA has a root renewal request in progress[3]. As with all > root inclusion requests, the CA will be required to demonstrate compliance > with the BRs before the request can be approved. ... On Wed, Dec 11, 2013 at 2:30 AM, Brian Smith <[email protected]> wrote: > Also, enabling *.gouv.fr sites that use ANSSI-issued certificates to > continue working would minimize disruption to essential government > services, like tax collecting, etc. Removing ANSSI completely may be > too disruptive to these essential services. > > My personal opinion is that it is unlikely that all other browsers > would follow us if we completely removed ANSSI
If removing the root now would be too disruptive, doesn't it follow that not renewing the root would also be too disruptive and, hence, one shouldn't assume that the renewal process can force BR compliance, either? > In case it isn't obvious, I support this proposal. Indeed, it seems that the necessary *minimum* action is restricting the root to *.gouv.fr, *.education.fr and *.ac-*.fr. (And it would seem prudent to keep the restriction in place after the potential root renewal as well.) -- Henri Sivonen [email protected] https://hsivonen.fi/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
