On Fri, May 10, 2019 at 09:59:48AM -0700, Wayne Thayer via dev-security-policy wrote: > > On Tue, May 7, 2019 at 7:48 PM Wayne Thayer via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > >> To continue to participate in the Mozilla CA program, I recommend that we > >> require Certinomis to create a new hierarchy and demonstrate their ability > >> to competently operate their CA by going through a new root inclusion > >> request. I’d like to propose two options for their existing root: > >> > >> 1. Remove it from our root store in an upcoming Firefox release. > >> 2. Constrain it to use for gouv.fr domains in an upcoming Firefox > >> release.
[...] > If we decide to take option 2, I'm open to suggestions about the length of > time we should continue to trust the root for issuance to gouv.fr domains, > but I don't expect the answer to be "forever". One approach would be to > require a relatively quick transition prior to the inclusion of a new > Certinomis root. Another is to set a date far enough in the future that we > believe it would be reasonable for Certinomis to have a new root included > and transition to it, allowing gouv.fr site to continue to rely on > Certinomis. Apologies if I missed mention of this, but has there been any request from the operators of gouv.fr to maintain trust in Certinomis for subdomains thereof? I'd be *extremely* uncomfortable with the idea that Firefox would continue to trust an otherwise distrusted CA for a domain hierarchy without the enthusiastic and informed consent of the operator of that hierarchy. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy