All, I think we should remove the two old CNNIC root certificates from NSS that are not trusted for cert issuance after April 2015.
Reference: https://wiki.mozilla.org/CA/Additional_Trust_Changes#CNNIC "Mozilla currently recommends not trusting any certificates issued by this CA after 1st April 2015. This covers two roots in our store - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root". We have a whitelist of older certificates, and tools to generate it. The code implementing this restriction is in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.)." Please let me know if you foresee any problems with removing these two root certs from NSS. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
