On 21/04/17 18:19, Eric Mill wrote: > The FPKI cross-signs at issue in Issue L are now expired (and so don't show > on the links above). They do show when expired certificates are included -- > there are 6 of them with OU=FPKI: > https://crt.sh/?Identity=%25&iCAID=1384 > > Each of those certificates lack a pathlen:0 constraint, and appear to be > the only ones that do. Symantec noted that they are path length constrained > in their response, but since they also referenced Federal PKI policy OIDs > (which are not respected by Web PKI clients), I thought it was worth being > explicit about the difference between the certificates referenced here and > those referenced in Issue L.
In other words, the FPKI cross-signs weren't path length constrained and so promulgated trust from the entire FPKI, but the Issue Y intermediates are constrained and so the impact is less? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy