Hi Ryan, I've lost the thread on how this addresses Cory's original problem statement, if you could spell that out that'd be very helpful.
Alex On Tue, May 16, 2017 at 10:22 AM, Ryan Sleevi <r...@sleevi.com> wrote: > > > On Tue, May 16, 2017 at 7:58 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> > wrote: > >> Ryan Sleevi <r...@sleevi.com> writes: >> >> >I can't help but feel you're raising concerns that aren't relevant. >> >> CAs issue roots with effectively infinite (20 to 40-year) lifetimes >> because >> it's too painful to do otherwise. You're proposing instead: >> > > That's not an appropriate summary of the issues, but equally, as I already > described, and perhaps could work through with you if you had further > questions (rather than criticisms), that the 'too painful' scenario is > still meaningfully addressed. > > >> >> require that all CAs must generate (new) roots on some interval (e.g. 3 >> years) for inclusion. >> >> (that's quoted from the original message I replied to). How do you >> propose >> that Mozilla is going to get every commercial CA on earth to do this? >> > > The same way we in the Mozilla community have made progress for the past > decade - https://www.mozilla.org/en-US/about/governance/policies/ > security-group/certs/policy/ > > It's fairly easy to submit PRs to https://github.com/mozilla/pkipolicy > and discuss. Perhaps we can discuss the substance of the proposal, and work > through any confusion or misunderstanding, rather than suggesting it's not > possible because it's hard (of which both are not correct) > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy