On Tue, Mar 20, 2018 at 12:56 PM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

>
> I think it's not going to be productive to spend a lot of time on the list
> debating whether or not a CA can opt out of full BR compliance by simply
> saying "we're winding down and won't issue certificates anymore". From
> Mozilla's perspective, any root in their trust stores needs to be held to
> the same standard.
>
> I agree. The prerequisites for recognizing a "wind-down CA" mode are at
least:
- BR updates that enable auditors to issue a report stating that the CA is
fully compliant with a "wind-down" mode of operations.
- Mozilla/Firefox CT policy/enforcement that ensures the CA can't simply
back-date certs.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to