Agreed. I don't see a reason to disclose anything where the parent is revoked. I think it's a similar question as whether a CA has to disclose all the sub case under a root where removal from the root program was requested. In both cases the certs are not publicly trusted and don't affect the Mozilla community.
> On Jun 21, 2016, at 10:10 AM, Peter Bowen <[email protected]> wrote: > >> On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling <[email protected]> >> wrote: >> Revocation of a "parent intermediate" does not exempt "child intermediates" >> from the disclosure requirement, AFAICT. So I think the KBC Group CAs do >> need to be disclosed to Salesforce. > > If all paths from a trusted root to a given intermediate are revoked > or expired, then I don't think it "directly or transitively chain[s] > to a certificate included in Mozilla’s CA Certificate Program". It > would be no different than a private CA which isn't part of the WebPKI > graph. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
