On Thu, May 18, 2017 at 10:16 AM, Gervase Markham <[email protected]> wrote:
> On 17/05/17 19:33, Ryan Sleevi wrote: > > On Wed, May 17, 2017 at 2:23 PM, Gervase Markham <[email protected] > > <mailto:[email protected]>> wrote: > > What's the alternative proposal, given that many or most CAs can't do > > per-method rules right now? > > > > The proposed extension would be simply that the CAs which haven't > > maintained those records can still signal a BR version 1.4.2 (or 1.4.1 > > or equivalent). As they gather/complete such records, they can signal a > > BR version 1.4.x. > > You misunderstand me. If you want different data reuse rules (a separate > question from encoding BR version in the certs), what would they be and > how would they work? Or are you happy with the data reuse rules proposed? > I'm suggesting that we can support the data reuse rules as proposed - arguably, a weakening of the current requirements - provided that we also specify a way for CAs to affirmatively attest that they have not reused problematic data. This seems to provide a reasonable compromise - it permits insecure practices, provided that CAs are transparent about them.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
