On Tue, Jun 06, 2017 at 10:13:20AM +0100, Gervase Markham via
dev-security-policy wrote:
> Aside from taking a note of how often this happens and it perhaps
> appearing in a future CA investigation as part of evidence of
> incompetence, does anyone else have ideas about how we can further
> incentivise CA compliance with a requirement which was promulgated some
> time ago, for which all the deadlines have passed, and which should be a
> simple matter of paperwork?
"If we find 'em, rather than you telling us about them, they go in OneCRL
as soon as we come across them"? It'll upset a few site operators because their
sites won't work, and the CA will have to work to fix, but hopefully not
enough certs will be issued before the intermediate surfaces to cause
sufficiently widespread pain.
Alternately, flag roots that have had submarine intermediates surface
before, and switch them to an intermediates whitelist approach. That'll
cause some degree of pain and suffering for those CAs that can't manage to
remember to tell the CCADB when they issue, by delaying the utility of any
future intermediates until some time after they've finally got around to
submitting them (when the whitelist gets updated, whether that's via a new
release or otherwise).
- Matt
--
aren't they getting rarer than amigas now? just without all that fuzzy
"good times" nostalgia?
-- Ron Lee, in #debian-devel, on Itanic
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
