On 12/13/13 4:03 AM, Rob Stradling wrote:
On 12/12/13 01:08, fhw...@gmail.com wrote:
That's the great part about this, Rob, you don't actually have to revoke
anything.
Peter, thanks for sharing your interpretation. What concerns me is that
the same interpretation is not shared by everyone.
I don't really care whether or not these certs need to be revoked by the
end of 2013. What I am concerned about is the possibility that CAs
might be reprimanded because they failed to follow an unwritten rule!
In my opinion, it is OK for CAs to take a little more time to finish
transitioning their existing customers off of 1024-bit certs.
The certs will just stop working at some point.
Correct.
I'm being somewhat facetious but that's really the bottom line. Perhaps
we should not use the word revocation here because in a strict technical
sense that's not what will happen and nor is revocation really necessary.
CAs have been transitioning their customers off of 1024-bit certs,
because they don't want their customers to suddenly have their certs
stop working.
Some of those customers are coming back and saying that they need more
time for various reasons (often having to do with the hardware that
they're using).
The April 2014 time frame seems to be when most customers can complete
their migration off of 1024-bit certs. I'm OK with that.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
