On Tuesday, March 24, 2015 at 3:41:50 PM UTC-4, Florian Weimer wrote: > * Kai Engert: > > > The discovery of any unconstrained and unrevoked intermediate CA > > certificate that isn't controlled by the root CA organization results in > > the immediate removal of the root CA from the Mozilla CA list. > > In this case, wouldn't this require the removal of the Entrust root, > not just the CNNIC root? Or wasn't the CNNIC SSL sub-CA certificate > extended beyond 2012? > > Clearly, the removal of an actually relevant root CA from the trust > store is not going to happen because the user impact and subsequent > reduction in browser market share.
Please note that the intermediate certificate which Entrust issued to CNNIC expired in 2012 and was not extended. Also note that the Basic Constraints had a path length of 0; as such the trust would not have extended to intermediates issued by CNNIC. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy