On 2017-06-08 14:09, wiz...@ida.net wrote:
But Censys lists it as a trusted intermediate chaining to a root (
ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa ) in NSS:
I got confused by crt.sh, it's not obvious if a certificate is in some
root store or not. They have an other certificate
for the same CA that is in the root store.
I have no idea what common implementations do when trying to validate a
chain with such certificate in the middle.
With respect to Gerv's question: given the ample time to disclose
intermediates, and given all CAs in the program indicated that they had, seems
reasonable to immediately add undisclosed ones that are discovered to OneCRL.
Other than some breakage, as already noted, main downside would seem to be
potentially large growth in OneCRL.
I think there are 2 solutions: OneCRL or a whitelist. OneCRL is probably
easier to do, no new code would need to be written in the browser or
NSS. A whitelist would mean that that list would need to get updated
regularly and that list is probably larger.
dev-security-policy mailing list