Is it more reasonable to use the condition, notBefore of the leaf cert greater than April 15th, 2025 as a condition for the untrusted anchor point? At the same time, it can also achieve the purpose of phasing out CAs that are too old.
Correction is welcome if any of my idea is wrong. On Tuesday, April 1, 2025 at 11:03:29 PM UTC+8 Ben Wilson wrote: > Per - https://bugzilla.mozilla.org/show_bug.cgi?id=1891438#c15: > > "In the interest of transparency, Mozilla received a formal request from > Taiwan’s Ministry of Digital Affairs (MODA), dated March 15, 2025, > requesting that we *delay the removal of the “websites” trust bit* for > Chunghwa Telecom’s *ePKI Root CA*, which is currently scheduled to occur > on or about April 15, 2025, in accordance with Mozilla’s Root CA > Lifecycles Transition Schedule > <https://wiki.mozilla.org/CA/Root_CA_Lifecycles#Transition_Schedule>. > > MODA explained that the requested delay is intended to support the ongoing > transition of government websites away from certificates issued by CHT’s > *GTLSCA-G1 > subordinate CA*. As we understand it, MODA is already implementing a > short-term migration plan involving the dual issuance of approximately > *12,000 > new certificates* for government websites—one from Chunghwa Telecom and > one from *Taiwan CA (TWCA)*—to ensure continued availability of > government services and minimize user disruption. > > While we have not yet finalized a decision, we are currently contemplating: > > - Postponing the removal of the “websites” trust bit; > - Implementing a distrust-after date; or > - Taking other actions consistent with Mozilla Root Store Policy and > ecosystem risk management. > > We note that: > > - The ePKI Root CA uses a 4096-bit RSA key, which provides stronger > security than other similarly aged root certificates. > - Any extension under consideration would be *strictly time-bounded* > (e.g., not to exceed *August 1, 2025*), reflecting a *short-term > accommodation*, not a change in long-term policy direction. > - Mozilla would retain the right to remove or revoke trust *at any > time*, based on new information or evolving risk factors. > > We welcome feedback on any of these approaches." > Thanks, > Ben > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/05d31347-d1c0-474d-9c2f-22778116c1c6n%40mozilla.org.
