On 24/03/15 04:10 PM, Daniel Micay wrote: > On 24/03/15 03:40 PM, Florian Weimer wrote: >> * Kai Engert: >> >>> The discovery of any unconstrained and unrevoked intermediate CA >>> certificate that isn't controlled by the root CA organization results in >>> the immediate removal of the root CA from the Mozilla CA list. >> >> In this case, wouldn't this require the removal of the Entrust root, >> not just the CNNIC root? Or wasn't the CNNIC SSL sub-CA certificate >> extended beyond 2012? >> >> Clearly, the removal of an actually relevant root CA from the trust >> store is not going to happen because the user impact and subsequent >> reduction in browser market share. > > They are not going to enforce the policies unless there is negative news > coverage that outweighs whatever risk of losing market share they see > from calling connections insecure when are known to be insecure.
In other words, if you want the responsible choice to be made in these cases then you should be contacting news publications to shame Mozilla into doing the right thing - not a Mozilla mailing list.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
