All, I've re-ordered the factors to emphasize (prioritize) CAs that are proposing separate roots. I also added to the lists "previously approved" "subordinate CA operator" - for those CA operators that have been through the public-review-and-discussion process. See https://wiki.mozilla.org/CA/Prioritization. Ben
On Tue, Mar 15, 2022 at 8:09 AM Ryan Sleevi <[email protected]> wrote: > > > On Tue, Mar 15, 2022 at 3:06 AM Lahtiharju, Pekka < > [email protected]> wrote: > >> Hi Doug, >> >> >> >> Is the described multi-root schema (different roots for different >> purposes) some kind of new best practice for CAs? So far Telia has used >> only one root for all purposes but should we now change that policy and >> start applications with several new roots? What is the reason for >> multi-root schema? Note! Some root programs like Oracle have specified that >> one member may have maximum three roots in their systems. >> > > Yes, it’s been recommended for several years now, both in response to > numerous CA incidents and explicitly by the Chrome Root Program ( > https://g.co/chrome/root-policy ), discussed at the CA/Browser Forum F2F > 52 - > > https://cabforum.org/2021/04/01/minutes-of-the-ca-browser-forum-f2f-meeting-52-virtual-3-4-march-2021/#Google-Root-Program-Update > > The slides also demonstrate how you can structure your hierarchy to > satisfy both separate roots and, for legacy root stores that limit the > number of included CAs, multipurpose roots. I use the term “legacy” because > other root programs that have had limits (e.g. Microsoft and Apple, at > various points), have generally in practice relaxed or removed those limits > to support algorithm diversity and purpose separation. > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaK3YibN5YGumn9oofLivv3R3aqP2Z8OcyMGs15tQruBw%40mail.gmail.com.
