n Tue, Aug 9, 2022 at 4:08 PM Benjamin Kaduk <bka...@akamai.com> wrote:
> On Tue, Aug 09, 2022 at 03:59:01PM -0700, Eric Rescorla wrote: > > > > Be that as it may, the browsers generally require conformance to the BRs > > (see, for > > instance > > > https://urldefense.com/v3/__https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/__;!!GjvTz_vk!UPmxyrKmaL10wJG8moM9lRB_dy37NNBtZYo3xVxxNx1_6JSsjXC25--ngicIeypX3KAVLzA$ > > > S 2.3, > > > https://urldefense.com/v3/__https://www.chromium.org/Home/chromium-security/root-ca-policy/__;!!GjvTz_vk!UPmxyrKmaL10wJG8moM9lRB_dy37NNBtZYo3xVxxNx1_6JSsjXC25--ngicIeypXz_sK-Pc$ > S 1) > > so what the BRs say is relevant in this discussion. > > While it seems almost inevitable that the Web PKI will be used for some > deployments of NTS, it also seems that NTS as a protocol is quite > untethered to > browser behavior or the Web PKI. So while I agree that the CABF BRs are > relevant, they probably ought not be treated as the sole authority. > Fair enough. I would make several points: 1. Peter's message was not qualified to NTS. He wrote "For commercial CAs, the expiry time is a billing mechanism, not a security mechanism. " So I was attempting to respond to the bigger picture. 2. It seems quite likely that many of the NTS certificates will be from WebPKI CAs, just because that's what's easy to get, and so you can't count on them providing revocation after expiry. 3. Are you aware of some other set of rules for certificate issuance that require revocation after the certificate has expired? -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
