I agree with Andrew’s point, and I would also like to ask which type of certificates CommScope plans to issue in terms of key usage. The requested Roots are for TLS servers and clients. Will you be a TLS Client Certificate-heavy CA, or will you issue mostly Server certificates?
Do you plan to offer certificates to other entities or will you only be issuing certificates for your own products? I read your post carefully about the value to the ecosystem stemming from your experience, but I did not understand what the difference will be at the certificate layer, and why a publicly trusted Root CA is needed to serve this. You write: > CommScope is more than just a standard CA. With its wealth of experience > dealing with device manufacturing, deployment and operation, we are also well > positioned to serve device manufacturers and operators of device fleets, > whose requirements are not the same as typical web site operators. Based on that, I wanted to ask: have you tried (or plan to use) ACME for these types of operations? If not, what is preventing you from doing so? The WebPKI has evolved to serve website operators, and the vast amount of requirements imposed on all of its CAs have been designed for browsers and websites, so you may have to face challenging circumstances if you try to deviate too far from that. Especially with IoT, where — as Andrew said — revocation and renewal is difficult, especially at these volumes you describe, every incident that occurs will be more difficult to deal with, not just for CommScope, but potentially for other entities involved such as user agents. CAs are also required to implement changes relatively quickly. The typical time frame is either weeks or months. Does that match your expectations and the lifecycle for software updates and changes to your relying parties? It’s not clear to me what the purpose of this application is, but perhaps you are limiting your flexibility quite a bit by going down that path. I’m not saying you should, or shouldn’t, I just want to understand if this is all clear from the beginning. You clearly have experience with PKIs, so I just wanted to get your thoughts on the issues above. Thanks, Antonis -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/D7103EAA-55F8-44B5-B234-CE87CAC3DD67%40gmail.com.
