On Thu, May 18, 2017 at 10:15 AM, Gervase Markham <[email protected]> wrote:
> On 17/05/17 18:29, Doug Beattie via Public wrote: > > 2) Set a date within the next 3-6 months for requiring only the 10 > > methods for issuance of all certificates > > I think the date for which "only 10 methods" is allowed has de facto > become a root program issue rather than a BR issue; for Mozilla, it's > 21st July. > > > 3) Specify which baseline methods were used within the certificate > > and allow deprecated methods to be used for the next 825 days. What > > timeline are we contemplating for this? > > It's not about continuing to allow deprecated methods, it's about > continuing to allow data gathered using deprecated methods. The current > proposal, to which Ryan is objecting, is to allow all existing data to > continue to be used for the standard data lifetime of 825 days. > While I certainly find it objectionable and unfortunate that CAs would reuse such data, I'm suggesting that we could be supportive, provided that we normatively specified a way to signal compliance with the existing method (so that security-conscious CAs can adopt and signal this), with a requirement for all CAs to signal compliance further out. If we were to do this today, we can rely on it within 4 years - but it also seems to be a reasonable way to compromise with reduced security in the Baseline Requirements.
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
