* Gervase Markham: > On 25/03/15 10:27, Florian Weimer wrote: >> * The CNNIC CPS is incorrect, and they no longer run an >> Entrust-sponsored sub-CA. > > I believe this is the correct answer. Quoting Bruce Morton in this thread: > > "Please note that the intermediate certificate which Entrust issued to > CNNIC expired in 2012 and was not extended. Also note that the Basic > Constraints had a path length of 0; as such the trust would not have > extended to intermediates issued by CNNIC."
Yes, I saw this message only after I had posted the above. This leads to the question why Ernst & Young, CNNIC's auditors, have not caught this discrepancy between the CPS and actual business practice. The most recent audit <https://cert.webtrust.org/SealFile?seal=1731&file=pdf> already covers the time period when CNNIC ceased to be an Entrust sub-CA. (I think to clean up this mess, we should focus on formal mistakes by auditors, not things that can be downplayed as operational glitches.) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
