On 16/05/17 13:24, Michael Casadevall via dev-security-policy wrote: <snip>
Just spitballing ideas here, but in Alex's case, part of me would be tempted to see if X509 could be extended with a new "CanIssueUntil" field. Basically, it would act as an off switch for CA:TRUE after a given date, but certificates signed before that would still be valid for that root, and then can be wound down beyond that point.
That sounds like the "Private Key Usage Period" extension, which was present in RFC3280 but removed in RFC5280.
https://tools.ietf.org/html/rfc3280#section-4.2.1.4 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy