I assumed that is what they meant by "distrust-after date" - I might be wrong. In any case, I think it's a good idea.
On Wed, 9 Apr 2025 at 16:32, Arabella Barks <[email protected]> wrote: > Is it more reasonable to use the condition, notBefore of the leaf cert > greater than April 15th, 2025 as a condition for the untrusted anchor > point? At the same time, it can also achieve the purpose of phasing out CAs > that are too old. > > Correction is welcome if any of my idea is wrong. > > > On Tuesday, April 1, 2025 at 11:03:29 PM UTC+8 Ben Wilson wrote: > >> Per - https://bugzilla.mozilla.org/show_bug.cgi?id=1891438#c15: >> >> "In the interest of transparency, Mozilla received a formal request from >> Taiwan’s Ministry of Digital Affairs (MODA), dated March 15, 2025, >> requesting that we *delay the removal of the “websites” trust bit* for >> Chunghwa Telecom’s *ePKI Root CA*, which is currently scheduled to occur >> on or about April 15, 2025, in accordance with Mozilla’s Root CA >> Lifecycles Transition Schedule >> <https://wiki.mozilla.org/CA/Root_CA_Lifecycles#Transition_Schedule>. >> >> MODA explained that the requested delay is intended to support the >> ongoing transition of government websites away from certificates issued by >> CHT’s *GTLSCA-G1 subordinate CA*. As we understand it, MODA is already >> implementing a short-term migration plan involving the dual issuance of >> approximately *12,000 new certificates* for government websites—one from >> Chunghwa Telecom and one from *Taiwan CA (TWCA)*—to ensure continued >> availability of government services and minimize user disruption. >> >> While we have not yet finalized a decision, we are currently >> contemplating: >> >> - Postponing the removal of the “websites” trust bit; >> - Implementing a distrust-after date; or >> - Taking other actions consistent with Mozilla Root Store Policy and >> ecosystem risk management. >> >> We note that: >> >> - The ePKI Root CA uses a 4096-bit RSA key, which provides stronger >> security than other similarly aged root certificates. >> - Any extension under consideration would be *strictly time-bounded* >> (e.g., not to exceed *August 1, 2025*), reflecting a *short-term >> accommodation*, not a change in long-term policy direction. >> - Mozilla would retain the right to remove or revoke trust *at any >> time*, based on new information or evolving risk factors. >> >> We welcome feedback on any of these approaches." >> Thanks, >> Ben >> >> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/05d31347-d1c0-474d-9c2f-22778116c1c6n%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/05d31347-d1c0-474d-9c2f-22778116c1c6n%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABrd9SR8K4ppJv8m-nM54kd9_M3e7Bf8bZnZJ9fnC8w2SxZxZg%40mail.gmail.com.
