On 2016-09-26 at 20:15 -0700, Stephen Schrauger wrote: > > I agree that they should need new roots. But on top of the points Andrew > makes, it would also require StartCom and WoSign to get cross-signed if they > wish to continue supporting older devices that lack their new roots. > > They would have to regain the trust of another root CA who would be willing > to cross-sign their new roots. Or else StartCom and WoSign would have to > accept that new certificates created under their new root may not work on > older devices, since older computers and embedded devices aren't always able > to update their root stores. > > Assuming they want new certificates to work on older devices, I imagine the > need to be cross-signed would create another point of trust, since another CA > willing to cross-sign would do their own audit and have added requirements.
Not really. Their old roots could sign their new roots, which would be enough to make them work on the older devices where it worked. The cost of untrusting the old roots is probably similar to that of adding new roots, so that the effort of chaining to a different CA is not worthwhile. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
