On 04/10/16 01:00, Ángel González wrote: > Not really. Their old roots could sign their new roots, which would > be enough to make them work on the older devices where it worked. The > cost of untrusting the old roots is probably similar to that of > adding new roots, so that the effort of chaining to a different CA > is not worthwhile.
This is true as long as there is no gap between when you dis-trust the old roots and when you add the new ones to your store. But that's unlikely because dis-trusts normally happen fairly quickly, spinning up new roots takes time, and you may want it to be done under a reformed regime rather than under the old one. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
