On Mon, Mar 27, 2017 at 10:18 AM, Ryan Sleevi <r...@sleevi.com> wrote:

> Gerv,
> I'm curious whether you would consider 18 months an appropriate target for
> a deprecation to 1 year certificates. That is, do you believe a transition
> to 1 year certificates requires 24 months or 18 months, or was it chosen
> simply for its appeal as a staggered number (1 year -> 2 year certs, 2
> years -> 1 year certs)

I suppose one further consideration - the proposal you outline would forbid
issuance. As we saw with the SHA-1 deprecation, there are a variety of PKI
communities which may rely on long-lived certificates for other purposes,
but otherwise in no way interact with Mozilla applications.

Would it be useful to thus also query whether there would be impact in
Mozilla applications failing to trust such certificates, but otherwise to
continue permitting their issuance. While this carries with it some
compatibility and interoperability risk - due to the issuance continuing
independent of applications - I suspect that if applications could agree
upon a target date to reduce the trust in acceptance, this might be a
sufficient safeguard against the "first mover" problem and allow Mozilla to
obtain its objectives without explicitly prohibiting issuance.

That is a separate, but related, question, but useful to consider if you
will be asking all CAs, some of whom may have reasons due to other PKIs
that would make them concerned about potential impact. However, if
Mozilla's goals and desires would include seeing those PKIs are operated
independently of the Web PKI, then forbidding issuance would be appropriate.
dev-security-policy mailing list

Reply via email to