21. 10. 12. 13:52에 Peter Gutmann 이(가) 쓴 글:
Maria José Prieto <[email protected]> writes:
Newly minted Root CAs must be valid for a minimum of 8 years, and a maximum
of 25 years, from the date of submission.
It would be helpful if browsers enforced the upper limits in the same way they
strictly enforce lower limits. I don't know how many root CA certs I've seen
with validity periods of between one and two hundred years (that's not a
typo). In particular, one-century validity periods seem to be popular for we-
don't-want-to-have-to-replace-them CA certs. So once they're entered into the
CA store those all-powerful certs will still be valid long after the CAs have
gone out of business, the private keys have been sold or stolen or lost, and
the crypto they use has been broken.
Peter.
that kind of things should be handled by removing such roots certs from
browser by sane trust store manager, not waiting a decade for them to be
expire. because they couldn't pay audit if they already bankrupt) or all
the roots with weak key algo will be removed as cleanup like we removed
1024bit rsa key from list. if a root certificate stay in trust store
actively audited until it's expiry, there is no reason to believe it's
more weak then a new root certificate with same key algorithm from same CA.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/87163766-ce64-a7c9-4fed-dc06fed8e34f%40gmail.com.
