Bugzilla

(In reply to Dana Keeler [:keeler] (use needinfo?) from comment #2)
> * exactly what date do we want to use as the cut-off? (the current date is
> near the release date for 48, I think. Kathleen has proposed using May 31,
> 2016)

Hmm, a few questions I have:
 - Have we communicated with CAs that we intend to do this?
 - Do the BR_9_2_* numbers suggest we should be OK with doing this sooner rather than later?

I prefer earlier, but I get the feeling some CAs are only capable of moving at a glacial pace...

> * currently this is not enforced for imported roots. Should there be an
> option to enforce in all cases?

I guess it depends on why we're doing this?
 - If it's mainly to enforce BR compliance and reduce the chance of name matching issues for public certs, then I guess not.
 - If we want to eventually remove the fallback code altogether, then yes, of course.

If we do want to enforce this for imported roots though, we're probably going to have to implement at least a web console warning or something for quite a long time, unless we want people to come screaming at us when we break their private PKI or whatever. Might help to have telemetry on these non-public certs as well (no idea if this would pass privacy review though).