On 11/10/16 02:55, Ryan Sleevi wrote: > CAs would and could address that continuinity by signing their new > root with their old (distrusted) root, and only issuing certificates > with the new root, while the old root fades into obsolecence. > > This offers continuity because the certs issued by new-root could be > trusted by clients that only trust old-root, by cross-signing > new-root with old-root, while still offering the assurances to the > public that old-root can safely be distrusted.
What do you say to my point that in practice there would be a set of browsers which trusted neither - those released during the dis-trust period? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy