On 22/08/17 11:02, Ryan Sleevi wrote: > I think it'd be useful if we knew of reasons why standing up (and > migrating) to a new infrastructure was not desirable?
It is true that in the case of a legacy root, creating a new root with a cross-sign is not technically all that complex (although it may take some time organizationally) and then we could embed that new one. Given that option, perhaps a blanket statement of BR compliance for all unexpired and unrevoked certificates is OK - allowing the CA to choose how best to meet the requirement. (Of course, given the recent BRpocalypse and how many CAs it affected, we may expect a new CA to need to go through a similar process of weeding out problems.) https://github.com/mozilla/pkipolicy/issues/99 filed. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
