On Tue, Mar 15, 2022 at 3:06 AM Lahtiharju, Pekka < [email protected]> wrote:
> Hi Doug, > > > > Is the described multi-root schema (different roots for different > purposes) some kind of new best practice for CAs? So far Telia has used > only one root for all purposes but should we now change that policy and > start applications with several new roots? What is the reason for > multi-root schema? Note! Some root programs like Oracle have specified that > one member may have maximum three roots in their systems. > Yes, it’s been recommended for several years now, both in response to numerous CA incidents and explicitly by the Chrome Root Program ( https://g.co/chrome/root-policy ), discussed at the CA/Browser Forum F2F 52 - https://cabforum.org/2021/04/01/minutes-of-the-ca-browser-forum-f2f-meeting-52-virtual-3-4-march-2021/#Google-Root-Program-Update The slides also demonstrate how you can structure your hierarchy to satisfy both separate roots and, for legacy root stores that limit the number of included CAs, multipurpose roots. I use the term “legacy” because other root programs that have had limits (e.g. Microsoft and Apple, at various points), have generally in practice relaxed or removed those limits to support algorithm diversity and purpose separation. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGboZtoX6HzbZwiUW9eEGbFtBR_HjeCiRP7TpcOkTN%2BsA%40mail.gmail.com.
