Ultimately, AIA chaining, scoring of TLS payload over NSS saved CAs in path discovery, and a purge of passively discovered intermediates chaining to the subject roots from NSS would create a permanent way forward. Unless these are feasible, we'll keep feeding intermediate certs signed under our go forward roots that were in use under our retiring root.
In the vast majority of cases, our customers did not cross-sign into our go forward roots, they created new subordinate PKIs and we signed new requests. It is common for our customers to operate multiple concurrent intermediates. It is common for our customers to use a PKI product that has no licensing burden in creating CAs and certs, only the licensing of our public trust enablement. Therefore they don't need to cross-sign to save cost. In our own PKIs that drive our SaaS applications, we never cross-sign intermediates or issuers across roots, we always bootstrap new chains. We may cross-sign at the root tier for ubiquity crutches. Kind regards, Steven Medin Product Manager, Identity and Access Management Verizon Enterprise Solutions -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+steve.medin=verizonbusiness....@lists.mo zilla.org] On Behalf Of Kathleen Wilson Sent: Monday, July 28, 2014 4:29 PM To: [email protected] Subject: Re: Removal of 1024 bit CA roots - interoperability On 7/25/14, 3:11 PM, Kathleen Wilson wrote: > On 7/4/14, 6:27 AM, Hubert Kario wrote: >> The newly released NSS 3.16.3 doesn't include 1024 bit CA >> certificates any more[1]. This will of course impact users of servers >> that still use it. > <snip> >> That's why I think that we should ship the intermediate CA >> certificates to make Firefox continue to interoperate with such sites. > > <snip> > > == For this batch of root changes == > > We are still investigating if we should use this possible solution for > this batch of root changes. Please stay tuned and continue to share > data and test results that should be considered. > I have filed a bug regarding this: https://bugzilla.mozilla.org/show_bug.cgi?id=1045189 Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
