On 30/03/15 16:34, Richard Barnes wrote: > Adding the intermediates would allow CNNIC to continue to issue end-entity > certificates, and not penalize site owners immediately (as Peter notes). > However, it would prevent the acceptance of other intermediates, since the > improper issuance of intermediates is the immediate issue here.
This is only true if we are aware of all existing in-use CNNIC intermediates, and that they all have an explit pathLength constraint of 0. A higher constraint, or none at all, would allow CNNIC to issue further intermediates off the whitelisted intermediates. > As a compromise, however, I would be willing to add the CNNIC intermediates > to the Mozilla root list (F). (Ideally, with an additional path length > constraint, set to zero.) Ah, I see you have covered this. If the CNNIC intermediates do not have such a constraint, we could add one artificially, but AIUI that would require custom code. > Since CNNIC's policy regarding intermediates is the immediate issue here, > this seems like a reasonable compromise. However, these intermediate > certificates should not be admitted indefinitely. Rather, we should plan > to remove them after a fixed time (say 6 months) or after CNNIC's > re-application is resolved, whichever comes first. If CNNIC are required to re-apply from scratch, I believe the current length of the application queue is longer than six months. That would mean that it's likely the time limit you set would expire before the determination of their re-inclusion. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
