On 21/04/17 18:19, Eric Mill wrote:
> The FPKI cross-signs at issue in Issue L are now expired (and so don't show
> on the links above). They do show when expired certificates are included --
> there are 6 of them with OU=FPKI:
> https://crt.sh/?Identity=%25&iCAID=1384
> Each of those certificates lack a pathlen:0 constraint, and appear to be
> the only ones that do. Symantec noted that they are path length constrained
> in their response, but since they also referenced Federal PKI policy OIDs
> (which are not respected by Web PKI clients), I thought it was worth being
> explicit about the difference between the certificates referenced here and
> those referenced in Issue L.

In other words, the FPKI cross-signs weren't path length constrained and
so promulgated trust from the entire FPKI, but the Issue Y intermediates
are constrained and so the impact is less?


dev-security-policy mailing list

Reply via email to