On 20/12/13 17:40, Kathleen Wilson wrote:
On 12/13/13 4:03 AM, Rob Stradling wrote:
On 12/12/13 01:08, fhw...@gmail.com wrote:
That's the great part about this, Rob, you don't actually have to revoke
anything.
Peter, thanks for sharing your interpretation. What concerns me is that
the same interpretation is not shared by everyone.
I don't really care whether or not these certs need to be revoked by the
end of 2013. What I am concerned about is the possibility that CAs
might be reprimanded because they failed to follow an unwritten rule!
In my opinion, it is OK for CAs to take a little more time to finish
transitioning their existing customers off of 1024-bit certs.
Kathleen, perhaps I'm still failing to express my concern clearly.
I am trying to understand exactly what you mean by 1024-bit cert
revocation requirement.
To me, cert revocation means replying revoked via OCSP for that
cert's serial number, and also adding that cert's serial number to the CRL.
I understand that new versions of browsers will stop accepting 1024-bit
certs and that site operators will naturally stop using 1024-bit certs.
But neither stopping using nor stopping accepting are the same thing
as revocation.
My question is simple: Will CAs need to revoke all unexpired 1024-bit
certs by the cut-off date?
If Yes, where is this requirement written?
If No, please simply reply No.
Thanks.
snip
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy