On 25/03/15 17:45, Ryan Sleevi wrote: > That is, in a hypothetical world where E1 is pursued (for any CA), the CA > can simply backdate the certificate. They'd be non-compliant with the > Baseline Requirements, presumably, but that is somewhat how we got here in > the first place. > > So purely on a technical level, E2 seems to be the only viable option of > the E options.
Not necessarily. In this hypothetical case, Mozilla could state that any evidence of cert backdating (verified out of band by IP scans) would lead to immediate root removal; the CAs customers (who would then have to replace all certs on an accelerated schedule) might then have cause for action against them for deliberately triggering such an event. This might prevent the CA from taking that action. Just throwing thoughts around... Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
