On 31/08/16 19:13, Ryan Sleevi wrote: > A) Remove the CA. Users may manually trust it if they re-add it, but it will > not be trusted by default. ....
F) Distrust all certs with a notBefore date after date X, and require the CA to apply for re-inclusion to get the distrust lifted. (I.e. what happened to CNNIC.) It's theoretically possible for a CA to backdate notBefore, but if they are logging everything to CT, that will be noticable. And if they didn't log to CT, they would be breaking their promise to log everything to CT, which would be evidence of untrustworthiness. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
