But Censys lists it as a trusted intermediate chaining to a root ( 
ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa ) in NSS: 


With respect to Gerv's question: given the ample time to disclose 
intermediates, and given all CAs in the program indicated that they had, seems 
reasonable to immediately add undisclosed ones that are discovered to OneCRL. 
Other than some breakage, as already noted, main downside would seem to be 
potentially large growth in OneCRL.

On Thursday, June 8, 2017 at 7:58:51 AM UTC-4, Kurt Roeckx wrote:
> On 2017-06-08 13:31, richmoor...@gmail.com wrote:
> > This one is interesting since the domain name of the CRL resolves to an RFC 
> > 1918 IP address. Surely that is a violation of the baseline requirements.
> > 
> > https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca
> That seems to be a root CA. It does not mention any CRL. I don't expect 
> a root CA to have a CRL. I'm not sure from where crt.sh is getting the 
> Kurt

dev-security-policy mailing list

Reply via email to