On 24/03/15 09:03, Kurt Roeckx wrote: > So it's my understanding that they were only supposed to issue > certificates for their own domain(s). Why wasn't this enforced by using > a name constraint?
The implied answer to this question from statements by the CNNIC representative is that their system was not set up to issue certificates with name constraints, and this is something they are now urgently looking at fixing. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
