Hi Dimitris, Thanks. I don't know why Chrome chose five years because I can't think of a scenario where a CA operator would take 4-5 years to submit their root CA for inclusion in the trust store. Whereas, three years seemed more reasonable and manageable. Ben
On Tue, Aug 30, 2022 at 12:39 PM Dimitris Zacharopoulos <[email protected]> wrote: > > > On 16/8/2022 12:28 π.μ., Ben Wilson wrote: > > Addition to: Section 7.1 Inclusions > > CA key material MUST be generated within the three (3) years that precede > the submission of a CA inclusion request. The date of CA key material > generation shall be determined by reference to the auditor’s key generation > ceremony report. > > > Why 3 years instead of 5? What are the security benefits of a key being > generated 3 vs 5 years ago? The Chrome Root Program Policy states that it > will accept keys generated 5 years ago so perhaps there is no significant > reason to justify this policy divergence. > > > Thanks, > Dimitris. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7583f738-82f3-cd1b-3793-5254e4d83095%40it.auth.gr > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7583f738-82f3-cd1b-3793-5254e4d83095%40it.auth.gr?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaph4gZKQp1M7SEuSTW5cBB1whFKmO6O%3D0fCm0e6XrG2g%40mail.gmail.com.
