Paul Hoffman wrote: > Unless Mozilla says "we are going to yank that particular Verisign > certificate, and all the ones with similar key lengths, decades before > they expire", there is absolutely no reason for us to, 20 years in > advance, start requiring "new" CAs to use stronger keys. It is just not > justified.
I don't think it's nearly that black-and-white. Changing existing roots is a high-cost, long-lead process; raising the bar on new roots is cheap and fast. I don't understand why the two are incompatible, nor why progress should be gated upon perfection. Are new CAs objecting to the use of stronger certs? > Proposal: > [...] A three-phase migration might be a bit more orderly: 1) short-term: raise bar on new CAs 2) mid-term: get existing CAs to switch to stronger roots 3) long-term: remove weak roots. #2 helps mitigate the impact of #3 on end-users, lest something force the issue sooner than desired. Justin _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
