[cabfpub] Proposed addition to BRs allowing issuance of <2048

Gervase Markham gerv at mozilla.org
Fri Jun 14 09:43:20 UTC 2013

On 13/06/13 21:52, Eddy Nigg (StartCom Ltd.) wrote:
> In that case they in my opinion are very relevant for the BR and what
> you call "web-pki".

Can you expand on that?

These are embedded devices accessing specific servers which are designed
to communicate with them. If this was happening over a private network,
it would clearly be not "Web PKI". Are you saying that any SSL
connection which traverses the public Internet is "Web PKI"?

If not, it would help if you were to explain how you decide what is and
what is not Web PKI.

> For various reasons no such certificates should be
> used anymore (not care particular about your CAs or your clients risk,
> but rather regarding the entire industry which must work according to
> some set standard we agreed upon and which makes sense).

Why is this situation different from the "issue from the root"
situation, where we have a limited exception for legacy compatibility?

Do you have any evidence that the exception is being abused in that case?


More information about the Public mailing list