On Wed, Mar 6, 2013 at 2:48 PM, Eddy Nigg (StartCom Ltd.) <span dir="ltr"><<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
On 03/07/2013 12:23 AM, From Ryan Sleevi:
<div class="im"><blockquote type="cite">
<div class="gmail_quote">
<div>I think regardless of what this Forum decides,
Browsers/Root Stores will continue to operate their programs
independently. Granting exceptions through language in the BR
certainly can provide a framework, but if no root store
respects or accepts that framework, it serves no end.
Likewise, this Forum may decide NOT to include particular
language in the BRs, but Browsers/Root Stores that are
committed to moving the security standard higher may decide to
independently impose such restrictions, for the protection and
safety of their users.</div>
</div>
<br>
</blockquote>
<br></div>
Right, but for the record here we are talking about "downgrading" or
introducing an exception. Even if software vendors would agree to
it, I believe such certificates would be not in compliance with the
BR - until that has been changed and approved for such an exception.<br>
<br>
Therefor I believe the software vendors acceptance is also limited
in this respect.<br>
<br>
<br>
<div>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a>startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg" target="_blank">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</div>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br><div>Correct - without changes to the BRs, such certs are definitely not compliant with the BRs.</div><div><br></div><div>Whether or not a root store accepts them (compliant or not) is a separate and independent question, that gets to the heart of the matter.</div>
<div><br></div><div>Watering down the BRs to make such certs 'acceptable' (by virtue of exceptions) only serves to weaken the BRs, and such weakening may or may not be acceptable to root programs.</div>