* Bruce: > On Tuesday, March 24, 2015 at 3:41:50 PM UTC-4, Florian Weimer wrote: >> * Kai Engert: >> >> > The discovery of any unconstrained and unrevoked intermediate CA >> > certificate that isn't controlled by the root CA organization results in >> > the immediate removal of the root CA from the Mozilla CA list. >> >> In this case, wouldn't this require the removal of the Entrust root, >> not just the CNNIC root? Or wasn't the CNNIC SSL sub-CA certificate >> extended beyond 2012? >> >> Clearly, the removal of an actually relevant root CA from the trust >> store is not going to happen because the user impact and subsequent >> reduction in browser market share. > > Please note that the intermediate certificate which Entrust issued > to CNNIC expired in 2012 and was not extended. Also note that the > Basic Constraints had a path length of 0; as such the trust would > not have extended to intermediates issued by CNNIC.
Sorry, Bruce, I saw your message just now, it was not properly threaded. It is good to know that the certificate was not extended. But as I wrote in my other message, the CNNIC CPS from 2013 onwards claims that the Entrust signature is still valid. :-( _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
