Maybe an ad-hoc pre-approval process would work. -----Original Message----- From: Peter Bowen [mailto:[email protected]] Sent: Thursday, September 4, 2014 1:07 PM To: Ben Wilson Cc: Gervase Markham; [email protected] Subject: Re: Short-lived certs
On Thu, Sep 4, 2014 at 7:54 AM, Ben Wilson <[email protected]> wrote: > Options for trying this out might fit under an exception, if one were > created, for "test, experimental, temporary, pilot, provisional, etc." > certificate types. Ben, I think there is value in allowing some level of non-compliance for the purposes of testing and development, as that is the only way to get real world data. However the challenge is going to be not creating a loophole large enough to drive a truck (or business) through. I have no question there are customers who would love to pay a CA to issue a 1024-bit RSA certificate directly from a root with a subject of "CN=exchange" with no subject alternative name. What would prevent a CA from issuing such a certificate as a "test, experimental, temporary, pilot, provisional, etc." type certificate? Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
