Dear Steven,
CA certificates can have a validity longer than 398 days. The policy
applies to the validity period of TLS server certificates. At the CA level,
it will be enforced as a compliance issue in the root store when we accept
or remove a root CA in the "publicly trusted" root store. It will
On Tuesday, July 14, 2020 at 2:13:30 PM UTC-4, Ben Wilson wrote:
> Hi Christian,
> I think your concern is about how our code will enforce this. Because our
> policy only applies to roots that are built in, our intent is to have our
> code apply this restriction only to certificates that chain
Apologies for triggering such a controversial discussion. Just to be clear, my
original post was not directed at discrediting any practice of a CA, but rather
to trigger discussion about what is/should be/will be the best option to solve
the issue.
> >> Why not just do the right thing?
> >
Let’s Encrypt is planning to issue a new root and new intermediates soon.
The new root will be an ECDSA one, to augment our existing RSA root. The
new intermediates will be part of our regular replacement of intermediates.
Our RSA root will cross-sign the ECDSA root.
We’re sharing our detailed
The CCADB has been updated to enable many-to-many mapping between policy
documents and root certificates.
If you run into any problems using the CCADB, please send an email to
supp...@ccadb.org. We are already working to fix the
AllCertificateRecordsCSVFormat report, which is currently
5 matches
Mail list logo
