On 01/29/2014 08:50 PM, From Jeremy Rowley:
1) These root certificates are used in many different systems, not just Mozilla. If Mozilla doesn't embed all of them, the ones not embedded will essentially be untrusted. The roots proposed are simply replacements for our existing root certificates, and our plan is to phase out the current DigiCert root certificates once there is sufficient ubiquity in the new roots.
Jeremy, not that I overly care, but are you saying that all these roots plus the existing roots were accepted in the Microsoft roots program? I thought there is a hard limit of three roots these days and if correct and enforced by Microsoft your argument doesn't hold.
I'd say that you probably should have not more than three roots, maybe each with a particular algo and hash. From those you can and should issue intermediate CA certificates according to the various purposes you outlined in your mail.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy