Hi Matthias, Thanks for the clarification.
So, I think the goal is (and the language might have to be modified if it isn't in alignment) that applicable policy and practice documents can be retrieved for the R1 hierarchy for the period 1995 - 2020; for the R2 hierarchy, for the period from 2005 - 2030; and for the R3 hierarchy, for the period 2015 - 2040. So, for the scenario given, they should be accessible during each root CA's certificate lifetime. In practice, it is likely that some CAs will have a series of CP/CPS documents (version 1 ... n) over the lifetimes of multiple roots. It may be that they want to keep v.1 from 1995 still accessible after 2020, but under the given scenario, it would not be required because the cross-certificate would no longer be trusted (even though the R2 CA, itself, would be trusted by then in the root store). If maybe I have not considered a scenario or complication, then I'm open to suggestions, and the language can be modified to make our goals more clear. Thanks, Ben On Fri, Nov 18, 2022 at 11:17 AM Matthias van de Meent <[email protected]> wrote: > On Fri, 18 Nov 2022 at 16:39, Ben Wilson <[email protected]> wrote: > > > > Hi Matthias, > > Before I answer the questions, I think example dates need to be > associated with the events in the example cited below. > > Hi Ben, > > I've included some example years. Considering that there are no > duplicate year numbers, these should be clear enough to talk about. > Note that these are hypothetical dates; if there are issues with the > (non)existence of certain standards and/or requirements, then these > can probably be fixed by shifting and transforming all numbers to > something that does work while keeping the ordering intact. > > Root R1,expired > R1 validity period: 1995-2020 > . ^- X-signed R2, R2 is in root store > R2 is self-signed, validity period 2005-2030. cross-signed cert by R1 > has validity period of 2005-2020 > . . ^- X-signed R3, trust from R2 > R3 root cert validity period: 2015-2040. cross-signed cert by R2 has > validity period: 2015-2030 > . . . ^- Intermediate ICA1, trusted from R2 through R3 > ICA validity period: 2021-2026 > . . . . ^- Leaf Certificate > validity period: 2022-2023 > > Thanks, and kind regards, > > Matthias van de Meent > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ47h7kQaRGQ1UZa6S8LNHG8iZCm5jG%2By%3DP5HYtY6YkcQ%40mail.gmail.com.
