> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Monday, February 13, 2017 7:23 AM > To: [email protected] > Subject: Intermediates Supporting Many EE Certs > > > What can be done about the potential future issue (which might happen with > any large CA) of the need to untrust a popular intermediate? > Suggestions welcome. > > Gerv >
Either timespan or total certificates issued limits, as ballots, accounting for quantity growth from the end entity certificate lifespan reduction proposals, would be an approach. Getting all user agents with interest is issuance limits to implement the CA Issuers form of AIA for dynamic path discovery and educating server operators to get out of the practice of static chain installation on servers would make CA rollovers fairly fluid and less subject to operator error of failing to install the proper intermediate. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
