On Tue, Oct 04, 2016 at 01:14:45PM -0700, Percy wrote: > On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote: > > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates > > that we'd issued to WoSign: > > Does this mean all end entity certs chained to them are blocked immediately?
It means that some of the alternative chains that can be used to validate the chain will no longer work. Depending on the root store this might mean the end entity cert can or can't be validated anymore. As I understand this, it currently doesn't have any impact on things using the (default) Mozilla root store, but it might have if the StartCom and Wosign roots were removed. I can't remember if there were other cross signatutures. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
