On Tue, Aug 22, 2017 at 12:01 PM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 21/08/17 06:20, Peter Kurrasch wrote:
> > The CA should decide what makes the most sense for their particular
> > situation, but I think they should be able to provide assurances that
> > only BR-compliant certs will ever chain to any roots they submit to the
> > Mozilla root inclusion program.
>
> So you are suggesting that we should state the goal, and let the CA work
> out how to achieve it? That makes sense.
>
> I agree with Nick that transparency is important.
>
> Is there room for an assessment of risk, or do we need a blanket
> statement? If, say, a CA used short serials up until 2 years ago but has
> since ceased the practice, we might say that's not sufficiently risky
> for them to have to stand up and migrate to a new cross-signed root. I
> agree that becomes subjective.
I think it'd be useful if we knew of reasons why standing up (and
migrating) to a new infrastructure was not desirable?
It helps avoid value-based judgement of risk, which, like human processes
for verifying certificates, can fail - and instead sets up objective
criteria and processes that provide greater assurance. It's also useful to
consider that the function of cost (whether fiduciary or in complexity) is
something that is amortized over time, and achieves economies of scale
through its mandate, so we should keep a critical eye in remembering that
the associated costs will go down over time as CAs develop processes to
routinely do so.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
