On Tue, May 7, 2019, at 19:48, Wayne Thayer via dev-security-policy wrote: > 2. > > Constrain it to use for gouv.fr domains in an upcoming Firefox release. > > > While there are only a few thousand unexpired TLS certificates (the root is > not trusted for email) known to chain to this root, a few are in use by > major French government websites (e.g. ants.gouv.fr). I have suggested > option #2 to minimize disruption to those subscribers and relying parties. > > I will greatly appreciate everyone’s input on my recommendation and the > proposed options.
Hi Wayne, My preference would be removing the root entirely. So far there have been no requests from either the CA or any subscribers for special treatment of specific sites or certificates. If Certinomis isn't trustworthy (which I think is documented in the current record), why should a high assurance use case (government websites) be special cased as trusted? It's also worth noting that the certificate issued for ants.gouv.fr has a three year validity period, and the lower we push validity periods, the lower the impact is for removing individual CAs from root stores. Jonathan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
