Jeff, Here is some alternative language: "This schedule is subject to change if underlying algorithms become more susceptible to cryptanalytic attack or if other circumstances arise that make this schedule obsolete." Ben
On Sun, Sep 25, 2022 at 12:58 PM Jeffrey Walton <[email protected]> wrote: > > > On Mon, Sep 19, 2022 at 1:44 PM Ben Wilson <[email protected]> wrote: > >> Here is another option (deleting the other MRSP language previously >> proposed): >> >> Section 7.4 “Root CA Life Cycles” >> >> Root CA certificates included in the Mozilla root store will be >> distrusted when their CA key material is over 15 years old. The date of CA >> key material generation SHALL be determined by reference to the auditor’s >> key generation ceremony report. For key material generated before July 1, >> 2012, Mozilla will assume that the key material was generated on the “Valid >> From” date in the root CA certificate. For transition purposes, root CA >> certificates in the Mozilla root store will be distrusted according to the >> following schedule: >> >> Key Material Created >> >> Distrust Date >> >> Before January 1, 2006 >> >> April 15, 2025 >> >> 2006-2007 >> >> April 15, 2026 >> >> 2008-2009 >> >> April 15, 2027 >> >> 2010-2011 >> >> April 15, 2028 >> >> 2012- April 14, 2014 >> >> April 15, 2029 >> >> April 15, 2014 - present >> >> 15 years from creation >> >> This schedule is subject to change if the underlying algorithms become >> more susceptible to cryptanalytic attack. >> >> CA operators MUST apply to Mozilla for inclusion of their next generation >> root certificate at least 2 years before the Distrust Date above. >> >> Thoughts? >> > I think "cryptanalytic attack" may be a bit too narrow. I think you > should consider widening the spectrum of attacks. > > What if unexpected advancements in hardware make it feasible to attack a > key using existing algorithms? Or, what if the cost of power drops > significantly so that powering the hardware is no longer a concern? > > Jeff > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZ78qerJrDVWg%3DK%3D7Ex0XA1ntW7z6d%2BiZX5Sacm1TLdg%40mail.gmail.com.
