[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

Gervase Markham gerv at mozilla.org
Thu Aug 1 13:46:23 UTC 2013

On 01/08/13 14:43, Rich Smith wrote:
> The subject we're currently discussing was not spelled out clearly at all,
> and my recollection regarding the discussions around validity period was
> that it was well understood that there were long lived certificates out
> there, and that they would be allowed to live out their life-cycles.

There's a difference between allowing a cert to live out its life cycle
because it's unreasonable to ring up a customer and tell them to make a
change to their running system, and the situation where they are already
making that change and you have an opportunity to issue them a
replacement cert which is BR-compliant.

> Certificate duration has the potential to effect a much larger number of
> customers and I don't think those of us who have issued them in the past
> would have agreed to specific terms in the BR stating that we would have to
> revoke them, absent any other security vulnerability, had that been clearly
> stated from the outset.

This is not a request for revocation, it's a request that newly-minted
certificates conform to the BRs, even if the cert they are replacing did


More information about the Public mailing list