On 27/03/17 16:22, Ryan Sleevi wrote:
> Would it be useful to thus also query whether there would be impact in
> Mozilla applications failing to trust such certificates, but otherwise to
> continue permitting their issuance. 

That is a good idea. How about:

If you are unable to support a comprehensive reduction in issuance
lifetime, please explain the impact you see of Mozilla (and potentially
other browsers) removing trust from certificates of lifetime > 13 months
in the same sort of timeframe. This would mean browser-facing
certificates would need to have shorter lifetimes, but those
certificates not issued for trust by browsers could have longer lifetimes.

<Free text box>

> That is a separate, but related, question, but useful to consider if you
> will be asking all CAs, some of whom may have reasons due to other PKIs
> that would make them concerned about potential impact. However, if
> Mozilla's goals and desires would include seeing those PKIs are operated
> independently of the Web PKI, then forbidding issuance would be appropriate.

Presumably you mean independently apart from the fact that they happen
to share roots?


dev-security-policy mailing list

Reply via email to