* Kai Engert: > The discovery of any unconstrained and unrevoked intermediate CA > certificate that isn't controlled by the root CA organization results in > the immediate removal of the root CA from the Mozilla CA list.
In this case, wouldn't this require the removal of the Entrust root, not just the CNNIC root? Or wasn't the CNNIC SSL sub-CA certificate extended beyond 2012? Clearly, the removal of an actually relevant root CA from the trust store is not going to happen because the user impact and subsequent reduction in browser market share. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy