On 27/03/17 16:22, Ryan Sleevi wrote: > Would it be useful to thus also query whether there would be impact in > Mozilla applications failing to trust such certificates, but otherwise to > continue permitting their issuance.
That is a good idea. How about: If you are unable to support a comprehensive reduction in issuance lifetime, please explain the impact you see of Mozilla (and potentially other browsers) removing trust from certificates of lifetime > 13 months in the same sort of timeframe. This would mean browser-facing certificates would need to have shorter lifetimes, but those certificates not issued for trust by browsers could have longer lifetimes. <Free text box> > That is a separate, but related, question, but useful to consider if you > will be asking all CAs, some of whom may have reasons due to other PKIs > that would make them concerned about potential impact. However, if > Mozilla's goals and desires would include seeing those PKIs are operated > independently of the Web PKI, then forbidding issuance would be appropriate. Presumably you mean independently apart from the fact that they happen to share roots? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy