[cabfpub] FW: CAB Forum Policy Change request

Sigbjørn Vik sigbjorn at opera.com
Thu Sep 17 12:24:13 UTC 2015


On 16-Sep-15 00:44, WILEMON, ANDREA A wrote:

> A key escrow repository and inventory management system does not
> exist, and there are not the resources or time left to build a temporary
> solution.

Here is a solution which doesn't require any time to build:
Order your certificates, and store them all in an encrypted .zip file on
a USB drive.
Store the drive in a safe.
Make sure that no one person has the both the code to the safe and the
.zip password. Any access to the .zip file thus requires at least two
people present, and you may add more policies as wanted.
Any requests for certificates are routed to these people.
(A backup drive in a different safe is optional, so is the use of secure
USB HW.)

> We can't issue generic certificates and update them later
> with the Subject Distinguished Name (DN) values

You would need one certificate for each subject name. This is the same
whether they are issued now, or next year.

> We are not asking to extend the SHA-1 deprecation deadline.

You are asking to extend the SHA-1 issuance deadline.

> those browsers that do not support SHA-1
> certificates through 2016 will quickly be retired from our environment.

Two points:
* I read what you wrote as "If some browsers tighten their security, we
will retire them", which I interpret as "If CABForum supports our use
case, we will use the most insecure browser available". That sounds like
a very good reason not to support the use case.
* If you are able to control the environment and retire browsers, you
are also able to install custom roots, in which case you may consider
that as a solution instead.

-- 
Sigbjørn Vik
Opera Software



More information about the Public mailing list