I am curious about the software requiring the 1024 bit cert off the root. The dates of mis-issuance are 2013-2014, which is still early in adoption of the BRs. At that time, the scope of the BRs was confusing and lead to lots of discussions. Although the term "intended to be used for authenticating servers" is still the scope of the BRs, everyone seems to agree that this means all certs with serverAuth are included. This was not the case in 2013.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Wednesday, April 12, 2017 6:40 AM To: Kurt Roeckx <k...@roeckx.be> Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Symantec Response B On Wed, Apr 12, 2017 at 4:24 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I don't think 2) applies. It's only their software, that obviously > can't be updated yet, and so won't enforce such limit. That doesn't > prevent the rest of us to set such limit. > Hi Kurt, I appreciate that you're engaged and offering your thoughts. I would appreciate, however, if you allowed Steve to respond on behalf of Symantec. I do not agree with your conclusions or interpretation of matters, but more importantly, the questions are for Symantec. #2 absolutely applies as a principle. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy