I don’t know where the limit proposed comes from, but it seems highly arbitrary to me and seems designed to stifle competition. Additionally, what if there are special purpose CAs who issue certs for only a select subgroup of users? They won’t be able to function in such a scheme. I am against this idea for the little benefit noted in compression.
On Saturday, July 29, 2023 at 11:31:57 PM UTC-4 Watson Ladd wrote: > Dear DSP participants, > > Recently at the IETF a novel compression scheme for certificates was put > forward. This compression scheme depends on a dictionary based on all CA > certificates and intermediates. The presence of many small CAs expands this > dictionary, and the benefit of small CAs is small. > > Small CAs have other costs: they are unlikely to have the resources to > comply with more intrusive security measures or staff that can execute the > tasks required when these measures fail. Meanwhile they have the same > capacity to damage the security of the webPKI as much more well resourced > ones. At the same time todays small CA is tomorrow's giant and refuge > should we need to distrust a big CA. > > I'd like to propose that any CA that has existed for five or more years > whose annual issuance volume is under 2,000 EE certs be distrusted. To > avoid injuring subscribers this distrust is "mild": all existing issued > certs are fine, and the entity can handle all but the BR validation for > specified intermediate of a bigger CA. This prevents the user community of > the CA from being left high and dry. I haven't counted how many would be > affected. For clarity I think this should only be for TLS server auth > mainly because that's the highest risk kind of CA. > > I realize this is an inevitably controversial proposal, (I called it a can > of worms at the mic) but the guidelines already ask for a balancing task > between the value to users and the risk posed by a CA. I don't think we > should be afraid to put some numbers on. > > Sincerely, > Watson Ladd > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a3252a79-8998-4762-89b4-ad3ce0ea6e43n%40mozilla.org.
