> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Monday, February 13, 2017 7:23 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Intermediates Supporting Many EE Certs
> What can be done about the potential future issue (which might happen with
> any large CA) of the need to untrust a popular intermediate?
> Suggestions welcome.
> Gerv

Either timespan or total certificates issued limits, as ballots, accounting for 
quantity growth from the end entity certificate lifespan reduction proposals, 
would be an approach.

Getting all user agents with interest is issuance limits to implement the CA 
Issuers form of AIA for dynamic path discovery and educating server operators 
to get out of the practice of static chain installation on servers would make 
CA rollovers fairly fluid and less subject to operator error of failing to 
install the proper intermediate.
dev-security-policy mailing list

Reply via email to