On Mon, Mar 30, 2015 at 2:22 PM, <jjo...@mozilla.com> wrote: > On Monday, March 30, 2015 at 8:34:47 AM UTC-7, Richard Barnes wrote: > >> As a compromise, however, I would be willing to add the CNNIC intermediates >> to the Mozilla root list (F). [...] Rather, we should plan >> to remove them after a fixed time (say 6 months) or after CNNIC's >> re-application is resolved, whichever comes first. > > I believe Richard's compromise approach is well-founded. If 6 months is too > short, as Gerv pointed out, perhaps we plan for that fixed period to be > something like ( $average_reapplication_time * 125% ) to account for minor > snags. > > It's likely to be in the applicant's best interests to commit to a timeframe > up front, even if it has a fudge factor, rather than leave it indefinite.
Can they reapply with the same intermediate CAs? If not, then could it be that they agree to move to new intermediates and cease issuing from the current ones, to lock the list of issued certs? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
