On 11/10/16 02:55, Ryan Sleevi wrote:
> CAs would and could address that continuinity by signing their new
> root with their old (distrusted) root, and only issuing certificates
> with the new root, while the old root fades into obsolecence.
> This offers continuity because the certs issued by new-root could be
> trusted by clients that only trust old-root, by cross-signing
> new-root with old-root, while still offering the assurances to the
> public that old-root can safely be distrusted.
What do you say to my point that in practice there would be a set of
browsers which trusted neither - those released during the dis-trust period?
dev-security-policy mailing list