Nick Lamb <[email protected]> writes: >There's plenty of hysteria about this cert based on who it was issued to, >which is funny because the best example of real trust ecosystem risk we have >recently is from the Disney subCA [quietly revoked by its issuer when it >ceased obeying the BRs...], yet I saw precisely zero people freaked out that >Disney had an unconstrained intermediate when that information was first >public.
Was it made public? All I've been able to find are two Bugzilla entries for the revocation: https://bugzilla.mozilla.org/show_bug.cgi?id=1262993 https://bugzilla.mozilla.org/show_bug.cgi?id=1263127 which seems to have been done because they were using SHA-1. Was there any more to it than that? Peter (resisting the temptation to make a comment about Mickey-Mouse security). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
