On Mon, Mar 27, 2017 at 10:18 AM, Ryan Sleevi <r...@sleevi.com> wrote:
> Gerv, > > I'm curious whether you would consider 18 months an appropriate target for > a deprecation to 1 year certificates. That is, do you believe a transition > to 1 year certificates requires 24 months or 18 months, or was it chosen > simply for its appeal as a staggered number (1 year -> 2 year certs, 2 > years -> 1 year certs) > I suppose one further consideration - the proposal you outline would forbid issuance. As we saw with the SHA-1 deprecation, there are a variety of PKI communities which may rely on long-lived certificates for other purposes, but otherwise in no way interact with Mozilla applications. Would it be useful to thus also query whether there would be impact in Mozilla applications failing to trust such certificates, but otherwise to continue permitting their issuance. While this carries with it some compatibility and interoperability risk - due to the issuance continuing independent of applications - I suspect that if applications could agree upon a target date to reduce the trust in acceptance, this might be a sufficient safeguard against the "first mover" problem and allow Mozilla to obtain its objectives without explicitly prohibiting issuance. That is a separate, but related, question, but useful to consider if you will be asking all CAs, some of whom may have reasons due to other PKIs that would make them concerned about potential impact. However, if Mozilla's goals and desires would include seeing those PKIs are operated independently of the Web PKI, then forbidding issuance would be appropriate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
