All, Originally, I scoped version 2.8 of the Mozilla Root Store Policy (MRSP) to include criteria and timeframes for when certain old root CA certificates would be removed from the trust store (prior to their expiry date).
In Github, I am taking off the "2.8" Label from Issue #232 <https://github.com/mozilla/pkipolicy/issues/232> and will not include it in version 2.8 of the MRSP, but I will be continuing my analyses of older roots and the appropriate time by which each should be removed. The approach might be to remove the website trust bit for the following types of roots in the following order: - 2048-bit RSA signed using SHA1 (approx. 2025) - 2048-bit RSA signed using SHA256 (approx. 2027) - 4096-bit RSA signed using SHA1 (approx. 2029) - EC 256r1 signed using SHA256 (approx. 2029) There are a number of factors that I am looking at, like CABF requirements in existence when the root was created, whether the root is older than 18-20 years, etc. I would suggest that we might take action on other roots (e.g. RSA 4096 with SHA256 and EC 384r1 with SHA384) in the early 2030s, but that will depend on the evolution of computing power and the development of systems that support stronger, quantum-resistent crypto. Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabt4tSD%3DyUgruO-dNbR%3DAjZzxkxDLostvG-xFKht5dYKg%40mail.gmail.com.
