On 24/01/17 16:00, Richard Barnes wrote: > Except of course the non-zero slice of users that haven't updated yet.
True, although I think it's unreasonable to give CAs a dependency on the quality of our automatic update infrastructure. We can have a discussion about whether "checked into master" or "shipped in Firefox" is the right point to allow them to say a root is no longer trusted and act accordingly, but pushing it out past the ship date seems unreasonable to me. (Not sure we have a policy on this...) Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
