All of these roots were already accepted in the Microsoft root store. Microsoft recently relaxed their three root policy provided that the CA can show a need for additional roots or that the CA has a root migration program in place to keep the limit to three. Because of the communities we support, they permitted us to include five roots.
Jeremy -----Original Message----- From: Eddy Nigg [mailto:eddy_n...@startcom.org] Sent: Wednesday, January 29, 2014 2:34 PM To: Jeremy Rowley; mozilla-dev-security-pol...@lists.mozilla.org Cc: 'Gervase Markham'; 'Brian Smith'; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert Request to Include Renewed Roots On 01/29/2014 08:50 PM, From Jeremy Rowley: > 1) These root certificates are used in many different systems, not > just Mozilla. If Mozilla doesn't embed all of them, the ones not > embedded will essentially be untrusted. The roots proposed are simply > replacements for our existing root certificates, and our plan is to > phase out the current DigiCert root certificates once there is > sufficient ubiquity in the new roots. Jeremy, not that I overly care, but are you saying that all these roots plus the existing roots were accepted in the Microsoft roots program? I thought there is a hard limit of three roots these days and if correct and enforced by Microsoft your argument doesn't hold. I'd say that you probably should have not more than three roots, maybe each with a particular algo and hash. From those you can and should issue intermediate CA certificates according to the various purposes you outlined in your mail. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy