On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling <[email protected]> wrote: > Revocation of a "parent intermediate" does not exempt "child intermediates" > from the disclosure requirement, AFAICT. So I think the KBC Group CAs do > need to be disclosed to Salesforce.
If all paths from a trusted root to a given intermediate are revoked or expired, then I don't think it "directly or transitively chain[s] to a certificate included in Mozilla’s CA Certificate Program". It would be no different than a private CA which isn't part of the WebPKI graph. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
