On 07/11/16 10:52, Nick Lamb wrote: > Where we don't have another way forward, I think one option is for > CAs to replace an existing unconstrained intermediate with a newer > one that is suitably constrained, and revoke the old one. This is > subject to all the usual caveats about revocation and of course the > constraints chosen must be practical for that particular CA in the > chosen timeframe.
You mean EKU-constrained (e.g. to email, or OCSP only)? > Another economic tactic would be to require CAs to use long random > serial numbers even in non-BR certificates. How long would you say is long enough? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
