You can see from image1 that all StartCom roots are marked distrust systemwide. No WoSign roots are included on Mac.
However when I'm accessing https://www.schrauger.com/ in Chrome, the HTTPS connection is marked as valid (image2) and the certification authority of WoSign is regarded as a valid intermediate cert. In the same session, when accessing https://wosign.com, the same intermediate cert is marked as untrusted (image3) which is what I expect. The same thing happened in Safari (Image 4&5). Can someone explain how the Certification Authority of WoSign (Serial number: 7250751724796726) is sometimes valid when the root cert is distrusted? Images: https://docs.google.com/document/d/1oB8P9466KcQhq8aZPvw9b8LEt9S0hffMWjoN7t3r8xg/edit _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
