I suggest Mozilla should - at the very least - strongly urge the actual current 
owners of these CA roots to use their resources to reach out to subscribers 
informing them of this decision and of its consequences. If it cannot, it 
should hand over all available contact details for the subscriber to another 
CA/B member, for them to do that work on behalf of the whole industry.

We know in the SHA-1 threads that subscribers often seem ignorant of important 
decisions affecting them, and the CA is best placed to contact the subscriber 
because they're most likely to have useful email addresses, phone numbers etc. 
that lead to people with the correct mix of technical ability and decision 
making authority to act.

As it stands currently the plan does not invalidate most (any?) end entity 
certificates that we believe were legitimately issued and such notification 
could make that clear, but subscribers deserve some warning even of the risk 
that invalidation would happen in future, not to mention that they will not be 
able to receive renewals from these CAs, at least for some time.
dev-security-policy mailing list

Reply via email to