On Thu, 27 Mar 2014, Nicholas Weaver wrote:
Because the browsers have already decided killing of 1024b CAs is a good idea, and they could revoke just those CAs once someone breaks a 1024b example, since the browser vendors have good experience in revoking bad CAs already (queue DigiNotar...)
10-20 year validity.
In contrast, DNSSEC
1 month validity. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
