On Wednesday, December 6, 2023 at 5:27:11 AM UTC-8 Peter Gutmann wrote: I meant the use of certificate pinning, so trusting the known-good cert you've seen before
If a client or relying party wants to enforce key continuity, they still can. If they want continuity of a CA key operated by their certificate authority, they can pin the root key. If they want continuity of a key lower in the hierarchy, they can do their own key management and pin their site's end-entity key. This change does not break key continuity in general. On Tuesday, December 5, 2023 at 5:56:20 PM UTC-8 Peter Gutmann wrote: Just trying to get an idea of how widespread this is. Amazon Trust Services already issues from unpredictable intermediates <https://aws.amazon.com/blogs/security/amazon-introduces-dynamic-intermediate-certificate-authorities/>, and they provide the same advice in their announcement: pinning roots is better than pinning intermediates. And I'll reiterate that various Root Programs are moving towards enforcing short intermediate lifetimes, so this idea is not just restricted to CAs. Finally, there are many aspects of the new certificates (policy OIDs, naming, cross-signing the ECDSA intermediates, etc) which have not yet been discussed on this thread. If you have thoughts or concerns about any of those, please chime in! Thanks, Aaron -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b2e6e34e-d0ac-486a-9131-39de909bd720n%40mozilla.org.