On 13/02/17 12:23, Gervase Markham wrote: > The GoDaddy situation raises an additional issue. .... > What can be done about the potential future issue (which might happen > with any large CA) of the need to untrust a popular intermediate? > Suggestions welcome.
Reviewing the discussion, I unfortunately don't see any workable solutions proposed yet. I think AIA chasing is a red herring. Jeremy's engagement on intermediate rotation was illuminating, but it seems to me that having multiple intermediates in play at the same time over an extended period is very likely not to solve the problem, because any issuance problem would cut across them all. If customers tend to renew annually, one could imagine a "January intermediate", "February intermediate" and so on, and one uses the former every January, etc. This might reduce the need for an intermediate change when an EE cert changes, as I have sympathy for the view that in today's world changing intermediate does make the process a little more error prone. (Although it shouldn't, and that's a technology fail I hope can be addressed.) Then, if you have an issuance problem which persisted for a month but which has led to a situation where you can't trust anything off the intermediates used during those times, only 1/6th of your outstanding certs from that root are at risk of needing immediate change rather than all of them. I guess the question is: is it worth it? Are the chances of this proving useful in an actual scenario high enough compared to the cost and hassle of imposing such a scheme on all CAs? If we decide to dis-trust the intermediate under such a scheme, is the CA practically as stuffed as it would be if it had just used one intermediate? :-) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy