On 05/16/2017 06:05 AM, Peter Gutmann wrote: > Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> > writes: > > Unless someone has a means of managing frequent updates of the root > infrastructure (and there isn't one, or at least none that work), this will > never fly. There's a reason why roots have 20-40 year lifetimes and why they > get on-sold endlessly across different owners rather than simply being > replaced when required. > > Peter. >
Arguably, this would be a nice thing to fix since it could help reduce issues with CA's changing owners. If we could update root stores retroactively, it would make a lot of migrations simpler. For example, if a device took the entire Mozilla root store before CNNIC was booted out, those devices would still trust those certificates. Given the glacier pace some things update at, having a type of root agility would be rather desirable. Just spitballing ideas here, but in Alex's case, part of me would be tempted to see if X509 could be extended with a new "CanIssueUntil" field. Basically, it would act as an off switch for CA:TRUE after a given date, but certificates signed before that would still be valid for that root, and then can be wound down beyond that point. Maybe a bit out there, but an interesting thought none the less. It would definitely go a good way at preventing one root certificate from underpinning a large chunk of the internet. My thought here is if a large "Too Big to Fail" CA's private key was compromised/factored/physically stolen, our only recourse would be to remove them from the root store, and deal with half the internet breaking. Would be nice if that could not be a thing. Michael _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy