On 11/10/16 15:08, Nick Lamb wrote: > Mozilla could choose to do that too, and agree that when a new CA is > added to NSS it will use the Mozilla CA (trusted but never used to > issue end entity certificates) to cross sign the new CA. The > resulting certificate could be included in chains for the new CA's > end entity certificates, allowing them to be trusted by older Firefox > versions immediately. > > Does that work?
Technically, it does, but it's not a scalable solution for all root stores, as each would need their own cross-sign and it would bloat the number of certs a site would need to send by one per store. Also, Mozilla would need to spin up the infra and security (or pay someone else to host it) for the HSM for such a seriously valuable key. That's not something that would be an easy sell. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy