On Tue, May 16, 2017 at 6:05 AM Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > >An alternative solution to the ossification that Alex muses about is to > >require that all CAs must generate (new) roots on some interval (e.g. 3 > >years) for inclusion. That is, the 'maximum' a root can be included in a > >Mozilla product is 3 years (or less!) > > Unless someone has a means of managing frequent updates of the root > infrastructure (and there isn't one, or at least none that work), this will > never fly. There's a reason why roots have 20-40 year lifetimes and why > they > get on-sold endlessly across different owners rather than simply being > replaced when required. Mozilla updates every six to eight weeks. And that works. That's all that matters for this discussion. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy