Den 04-08-2014 kl. 15:16 skrev Gervase Markham:
On 02/08/14 15:20, Jesper Kristensen wrote:
* Have you considered adding support for multiple ocsp staples to allow
stapeling of CA certs?
There is a proposed standard for multi-stapling but as far as I remember
it's not even finished yet, yet alone implemented and deployed. We
decided that we can't wait for it.
* Why not allow short-lived CA certs without revocation info, just like
EE certs?
I'm not sure there are any CAs out there who would like to get their
root key out of it secure storage every 3 days.
I agree that it would not be relevant for the traditional intermediate
CA certificates in the near future for this reason. I was thinking of
name constrained sub-CAs, which on some aspects are more similar to EE
certs than CA certs.
-
Jesper Kristensen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
