[cabfpub] FW: [cabfquest] Key Size Exception

Ryan Sleevi sleevi at google.com
Wed Mar 6 22:56:07 UTC 2013

On Wed, Mar 6, 2013 at 2:48 PM, Eddy Nigg (StartCom Ltd.) <
eddy_nigg at startcom.org> wrote:

> On 03/07/2013 12:23 AM, From Ryan Sleevi:
>  I think regardless of what this Forum decides, Browsers/Root Stores will
> continue to operate their programs independently. Granting exceptions
> through language in the BR certainly can provide a framework, but if no
> root store respects or accepts that framework, it serves no end. Likewise,
> this Forum may decide NOT to include particular language in the BRs, but
> Browsers/Root Stores that are committed to moving the security standard
> higher may decide to independently impose such restrictions, for the
> protection and safety of their users.
> Right, but for the record here we are talking about "downgrading" or
> introducing an exception. Even if software vendors would agree to it, I
> believe such certificates would be not in compliance with the BR - until
> that has been changed and approved for such an exception.
> Therefor I believe the software vendors acceptance is also limited in this
> respect.
>   Regards      Signer:  Eddy Nigg, COO/CTO    StartCom Ltd.<http://www.startcom.org>
> XMPP:  startcom at startcom.org  Blog:  Join the Revolution!<http://blog.startcom.org>
> Twitter:  Follow Me <http://twitter.com/eddy_nigg>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
Correct - without changes to the BRs, such certs are definitely not
compliant with the BRs.

Whether or not a root store accepts them (compliant or not) is a separate
and independent question, that gets to the heart of the matter.

Watering down the BRs to make such certs 'acceptable' (by virtue of
exceptions) only serves to weaken the BRs, and such weakening may or may
not be acceptable to root programs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130306/252d5446/attachment-0003.html>

More information about the Public mailing list