Gervase Markham <g...@mozilla.org> wrote: > On 18/11/16 01:43, Brian Smith wrote: > > The fundamental problem is that web browsers accept certificates with > > validity periods that are years long. If you want to have the agility to > > fix things with an N month turnaround, reject certificates that are valid > > for more than N months. > > That's all very well to say. The CAB Forum is deadlocked over a proposal > to reduce the max validity of everything to 2 years + 3 months; some > people like it because it removes a disadvantage of EV (which already > has this limit), other's don't like it because people like not having to > change their cert and are willing to pay for longer. Mozilla is in > support, but without agreement, we can hardly implement unilaterally - > the breakage would be vast. >
Regardless, the main point of that message of mine was left out: You could limit, in policy and in code, the acceptable lifetime of name-constrained externally-operated sub-CAs and/or the end-entity certificates they issue strictly, independently of whether it can be done for all certificates, and doing so would be at least part of the solution to making name-constrained externally-operated sub-CAs actually a viable alternative in the market. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy