In ideal world CA would want too put CSP doc in some utility that convert it to a linter or other way around: but not sure if it's something reasonable to make.
2025년 6월 6일 금요일 오전 6시 34분 50초 UTC+9에 Jeremy Rowley님이 작성: > I've been thinking of this during the ongoing Microsoft incident, but is there a particular reason we lack an arbitrary maximum number of live certificates per intermediary? We lack actual hard figures on client limitations for CRL processing, CRP were pointing out active CRLs far exceeding the 10MB figure. A carve-out for short-lived certs, and planning from the worst-cast of a full revocation event what would be the ideal threshold for maximum number of certs? I'm not proposing this for BRs, or as a Root Program requirement - but certainly an option to minimize the blast radius for higher-level key compromise scenarios. This has been proposed in the past but never adopted. IIRC it was because of the offline nature of key ceremonies so mass issuers would need to do a lot more signing. I still support this proposal though. You can batch up key ceremonies pretty easily. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d9e47aae-9c60-4fbf-ab73-e4f9d2fd4b4cn%40mozilla.org.
