[cabfpub] Concerns regarding Mozilla Root Program/Baseline Requirements

Gervase Markham gerv at mozilla.org
Thu Aug 8 08:55:15 UTC 2013

On 08/08/13 03:05, kirk_hall at trendmicro.com wrote:
> Ryan, I think you are putting up a straw man argument when you imply
> that CAs could cheat on all the BR rules by pretending they are simply
> reissuing a pre-BR cert, so they don’t have to comply with anything.  To
> my knowledge, no one has done that or proposed that. 

Indeed not. But Ryan's point is that the arguments being deployed here
could be used to support such action for exactly the same reasons. If
the BRs don't apply to reissues, as some are arguing, then they don't
apply full stop. And if someone comes along later and wants to make them
not apply to some other aspect of a reissue, one can hardly object.

> I believe that many CAs have always allowed a free reissue of an
> outstanding cert in their subscriber agreements (for the remaining
> certificate validity period only – not for any extended period) if
> necessary due to a technical problem such as loss of private key.  So
> the reissued (re-keyed) cert for the remaining validity period presents
> no greater danger to the internet community than the previously issued,
> pre-BR 10 year cert.  Does it?

The question of whether there is a risk for this particular change is a
separate question to whether the BRs are intended to apply to reissues
or not.

One possible outcome is that we clarify that the BRs apply to reissues
entirely, but that we carve out an exception for certificate duration
(or some other aspect) because we think that the risk of varying that
particular aspect of certificates is not great.

> I can’t fully understand why some are acting as if there is a grave
> danger from reissue/rekeying for the remaining validity period 

I think that people are less concerned about that, and more concerned
about the grave danger if your line of argument is accepted - because it
proves too much.


More information about the Public mailing list