On 01/04/15 22:41, Richard Barnes wrote: > That's certainly an option. I didn't want to prescribe a specific > mechanism in my initial proposal, since this seemed like an implementation > detail. In principle, just a list of issuer/serial pairs would be > sufficient to recognize bad certs, if CNNIC were uncomfortable releasing > the full details.
I'm not sure that's true; it's easy to issue a new cert with the same issuer and serial but different dates or CN/SAN. I suggest issuer, serial, notBefore, notAfter, CN and all SAN at minimum. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
