We could require self-reporting split between customer and CA-owned EE certificates (potentially with audits) here, but I'm not a huge fan of the idea of a set threshold. There might be smaller CAs that can justify value either way.
Maybe we could instead make this a requirement to have a root certificate in the trust store but instead allow fully outsourced intermediary certificates to be operated by these entities? They could still be revoked via OneCRL etc if they need to be removed and would have the same requirements as other CAs, but would take up less space in a compression table because fewer certificates would be needed. Of course, this would not mitigate the other security issues. Perhaps a combination of stricter justification of value and my proposal might make sense? Maria Merkel On Sun, Jul 30, 2023 at 10:54 AM passerby184 <tjtn...@gmail.com> wrote: > wouldn't they just print certificates to fill the quota? not like they > actually cost them to sign things > > 2023년 7월 30일 일요일 오후 12시 47분 47초 UTC+9에 Watson Ladd님이 작성: > >> On Sat, Jul 29, 2023 at 8:35 PM Phillip Hallam-Baker >> <ph...@hallambaker.com> wrote: >> > >> > Which compression scheme is this? >> >> Abridge certificate compression from >> https://datatracker.ietf.org/meeting/117/session/tls >> > >> > Why is this compression scheme likely to take off when there was no >> interest in pursuing my proposal or that of Rob Straddling ten years ago? >> > >> > I am not sure why the number of CAs would lead to issues either. Please >> explain. >> >> Each CA has a root that has to be identified and an intermediate that >> also needs identification. This increases the amount of data the >> clients have to ship with. >> >> Sincerely, >> Watson Ladd >> -- >> Astra mortemque praestare gradatim >> > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6f09f6f3-16d8-44c6-ad34-470a234407acn%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6f09f6f3-16d8-44c6-ad34-470a234407acn%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKtZuQ7pWyxnEvsSv9FJakzNXCWrCMKm%3DHtp%3D%3DbovBKw_ki%2BvA%40mail.gmail.com.
