On Fri, Jan 10, 2025 at 06:21:02PM -0800, Suchan Seo wrote: > Wouldn't fixed 30 certificates per CA cause smaller CA just spam load > genenrate test certificates on production envirement to delude chance to it > actually hit acutal client?
It is certainly a possibility. However, that sort of thing leaves extensive evidence (which, I will note, a CA-driven "random" choice protocol does not), and if such evidence was found and brought to light publicly, I expect it would not reflect well on the CA involved. Also, in the protocol I proposed, as Mozilla has full discretion over the the criteria by which certificates are chosen for a revocation test, it does not have to select those certificates entirely at random. It could identify certificates issued for the purposes you describe, and just not include such certificates in the list of those to be revoked. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cfe75e6e-3421-49cd-994b-c1316149ed6c%40mtasv.net.
