On 13/02/17 19:22, Jeremy Rowley wrote: > As we tied the intermediate to a specific set of companies (which correlated > roughly to a specific volume of certificates), renewal and pinning were > non-issues. As long as each company was identified under the same umbrella, > an entity renewing, ordering a new cert, or pinning received the same > intermediate each time and was tied to the specific entity.
This seems like a sane idea. Any CA which was required to rotate its intermediates would not be required to rotate them on a time basis; they could choose any rotation scheme they liked which kept them within the per-intermediate limits. _However_, if multiple intermediates are being issued under at once, and there is a process or other problem, the likelihood of them all being affected is high. (The rest of the validation path would likely be the same.) Therefore, you haven't necessarily solved the problem. Can a more complex rotation scheme square this circle? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy