On Fri, Mar 3, 2017 at 6:25 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 02/03/17 20:45, Eric Mill wrote: > > Our goal is to start a new root and set of issuing CAs that is completely > > disconnected and separate from the existing Federal PKI bridge network > that > > members of the web PKI community may be familiar with. > > Are you able to say whether you will be seeking a cross-sign from an > existing publicly-trusted cert to bootstrap your ubiquity? > That's definitely being considered, as it would be an obvious way to accelerate the utility of a new CA intended for public trust. > I note that some chap called Eric commented a couple of years ago that > newly-added certificates would take a long time to be well enough > distributed for USG websites to rely on them: > https://bugzilla.mozilla.org/show_bug.cgi?id=478418#c70 > :-) > Seems like a reasonable guy... > > government operated devices, and so we welcome appropriately narrow name > > constraints that reflect that. > > Will you be encoding these constraints in your roots and/or > intermediates, or will you be requesting that people shipping your roots > impose them externally? > > If you are considering putting them in the roots, you may want to talk > to HARICA, who attempted this and (I believe) ran into one or two issues. > That's the exact kind of question for which we could really use community input. We do have a general discussion thread open, with GSA and DoD staff contributing, to discuss the breadth of the constraints and potential implementation issues: https://github.com/uspki/policies/issues/12 I know I definitely don't have a complete understanding of client support and failure modes for in-certificate constraints in today's ecosystem. Breadth of enforcement is a factor, and so is breadth of support and reliability. > > > Since we’re not yet an applicant, this forum may not be the best place > for > > an extended discussion (though we’re happy to engage in discussion here > if > > people would like) > > This forum hosts general WebPKI discussion; you are welcome to keep us > updated on your progress. > Thank you! -- Eric > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Eric Mill Senior Advisor, Technology Transformation Service, GSA eric.m...@gsa.gov, +1-617-314-0966 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy