[cabfpub] Proposed addition to BRs allowing issuance of <2048
Rob Stradling
rob.stradling at comodo.com
Thu Jun 13 20:30:02 UTC 2013
On 13/06/13 20:45, Ryan Sleevi wrote:
<snip>
> For example, cutting a 'new' root that will have all certificates
> underneath it comply with the Baseline Requirements, and use that root
> for inclusion in all trust anchor stores going forward.
One potential problem with that idea is that quite a few of the Root
Programs impose a limit on the number of Roots per CA.
http://technet.microsoft.com/en-us/library/cc751157.aspx
"Number of roots you would like to submit – maximum of three (3). Up to
three roots per CA can be accepted into the Program because each
additional root negatively impacts users by increasing download time."
http://www.apple.com/certificateauthority/ca_program.html
"A maximum of three roots per CA provider can be accepted because each
additional root negatively impacts users by increasing download time."
http://www.oracle.com/technetwork/java/javase/javasecarootcertsprogram-1876540.html
"A maximum of three root certificates per CA will be accepted to
minimize the impact on performance and installation time."
etc
So I wouldn't advise Rick to follow a strategy that relied on the Root
Programs accepting a 'new' Root, unless a sufficient number of 'old'
Roots could be removed from the Root Programs at the same time.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list