On Fri, 14 Oct 2016 13:21:32 -0700 (PDT) Ryan Sleevi <r...@sleevi.com> wrote:
> In particular, I'm hoping to expand upon the choice to allow existing > certs to continue to be accepted and to not remove the affected roots > until 2019. Hi, From my understanding the problem here is that the alternative of simply whitelisting the existing certificates isn't feasible, because there are too many of them. *however* from what I remember almost all the time the free options of startcom/wosign were limited to one year. (I think there was a short period of time when it was possible to get 3-year-certs from wosign for free, but they removed that shortly afterwards.) Therefore there should be some middlegroupd option: a) Keep the existing root for 1 year and trust that wosign won't backdate certificates b) After that the vast majority of wosign/startcom certificates will be expired. The number of the remaining ones is probably low enough to make whitelisting feasible. I haven't checked CT logs for expiration dates, so this is more a guess, but given the history of cert issuance and the reasonable assumption most certs used the free option this seems plausible. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgp3HxEEpd6Tt.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
