On Tue, Mar 20, 2018 at 12:56 PM, Eric Mill via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > I think it's not going to be productive to spend a lot of time on the list > debating whether or not a CA can opt out of full BR compliance by simply > saying "we're winding down and won't issue certificates anymore". From > Mozilla's perspective, any root in their trust stores needs to be held to > the same standard. > > I agree. The prerequisites for recognizing a "wind-down CA" mode are at least: - BR updates that enable auditors to issue a report stating that the CA is fully compliant with a "wind-down" mode of operations. - Mozilla/Firefox CT policy/enforcement that ensures the CA can't simply back-date certs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy