I suggest Mozilla should - at the very least - strongly urge the actual current
owners of these CA roots to use their resources to reach out to subscribers
informing them of this decision and of its consequences. If it cannot, it
should hand over all available contact details for the subscriber to another
CA/B member, for them to do that work on behalf of the whole industry.
We know in the SHA-1 threads that subscribers often seem ignorant of important
decisions affecting them, and the CA is best placed to contact the subscriber
because they're most likely to have useful email addresses, phone numbers etc.
that lead to people with the correct mix of technical ability and decision
making authority to act.
As it stands currently the plan does not invalidate most (any?) end entity
certificates that we believe were legitimately issued and such notification
could make that clear, but subscribers deserve some warning even of the risk
that invalidation would happen in future, not to mention that they will not be
able to receive renewals from these CAs, at least for some time.
dev-security-policy mailing list