On 5/25/14, 9:53 AM, Kurt Roeckx wrote:
On Tue, May 20, 2014 at 11:23:54AM -0700, Kathleen Wilson wrote:
Maybe we should re-visit the idea of a "wall of shame", and publicly list
the CAs who are still issuing certificates with the following problems.
[...]
* Certificate not version 3
I've only seen 1 such subscriber certificate, but I see 14 such
certificates in the CA root list.
...
Do we also want all the root CAs to change to v3?
I've been checking the cert version for roots during the
inclusion/approval process, so those version 1 root certs must be old --
issued before the Baseline Requirements initial Effective Date of 1 July
2012.
So really the question is: Should we have a project to proactively
remove those old version 1 roots?
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
