[cabfpub] Preballot - Revised Ballot 190
Ryan Sleevi
sleevi at google.com
Thu May 18 07:31:04 MST 2017
On Thu, May 18, 2017 at 10:15 AM, Gervase Markham <gerv at mozilla.org> wrote:
> On 17/05/17 18:29, Doug Beattie via Public wrote:
> > 2) Set a date within the next 3-6 months for requiring only the 10
> > methods for issuance of all certificates
>
> I think the date for which "only 10 methods" is allowed has de facto
> become a root program issue rather than a BR issue; for Mozilla, it's
> 21st July.
>
> > 3) Specify which baseline methods were used within the certificate
> > and allow deprecated methods to be used for the next 825 days. What
> > timeline are we contemplating for this?
>
> It's not about continuing to allow deprecated methods, it's about
> continuing to allow data gathered using deprecated methods. The current
> proposal, to which Ryan is objecting, is to allow all existing data to
> continue to be used for the standard data lifetime of 825 days.
>
While I certainly find it objectionable and unfortunate that CAs would
reuse such data, I'm suggesting that we could be supportive, provided that
we normatively specified a way to signal compliance with the existing
method (so that security-conscious CAs can adopt and signal this), with a
requirement for all CAs to signal compliance further out. If we were to do
this today, we can rely on it within 4 years - but it also seems to be a
reasonable way to compromise with reduced security in the Baseline
Requirements.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170518/e0463178/attachment.html>
More information about the Public
mailing list