[cabfpub] Urgent: BR Exceptions for Subordinate CA Certificates

Gervase Markham gerv at mozilla.org
Fri Nov 1 11:12:59 UTC 2013

On 31/10/13 20:59, Eddy Nigg (StartCom Ltd.) wrote:
> Kathleen, if you recall at the time of the (initial) root inclusion
> request regarding this root at Mozilla we had exactly the very same
> issue and with an eye on exactly those types of names the BR does NOT
> allow such names. This was also discussed at that time and I would
> object (on our part should this come up for vote) to an exception for
> these kinds of names. Exactly for this the BR was created to get rid of
> such practices.

Quite so. The question here is not "are such practices acceptable when
new roots are created" - clearly, they are not. The question is: how do
we deal with this compatibility issue we have with a legacy root with an
unfortunate name?

You can argue, if you like, that roots issued before the BRs were
thought of and so which don't meet them should be immediately abandoned,
and nothing should ever be done to enable them to continue to function
for one second more, but normally the CABF has a less drastic approach
to backwards compatibility than that.


More information about the Public mailing list