On Tue, May 16, 2017 at 7:58 AM, Peter Gutmann <[email protected]> wrote:
> Ryan Sleevi <[email protected]> writes: > > >I can't help but feel you're raising concerns that aren't relevant. > > CAs issue roots with effectively infinite (20 to 40-year) lifetimes because > it's too painful to do otherwise. You're proposing instead: > That's not an appropriate summary of the issues, but equally, as I already described, and perhaps could work through with you if you had further questions (rather than criticisms), that the 'too painful' scenario is still meaningfully addressed. > > require that all CAs must generate (new) roots on some interval (e.g. 3 > years) for inclusion. > > (that's quoted from the original message I replied to). How do you propose > that Mozilla is going to get every commercial CA on earth to do this? > The same way we in the Mozilla community have made progress for the past decade - https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ It's fairly easy to submit PRs to https://github.com/mozilla/pkipolicy and discuss. Perhaps we can discuss the substance of the proposal, and work through any confusion or misunderstanding, rather than suggesting it's not possible because it's hard (of which both are not correct) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
