Hi Franck, On 18/09/17 15:49, Franck Leroy wrote: > Our understanding in April was that as long as StartCom is not > allowed by Certinomis to issue EE certs, the disclosure was not > mandated immediately.
I think that we need to establish a timeline of the exact events involved here. But I would say that it seems to me that Startcom _were_ issuing EE certs at that time, from the part of their hierarchy that you had cross-signed. In what way was Certnomis forbidding them from doing so? My understanding is that your answer to this question is... > This control that StartCom was not allowed to use our path was > technical in place by the fact that I was the only one to have the > intermediate cross signed certificates, stored (retained) in my > personal safe. ....that you had not given Startcom a copy of the cross-sign. However, leaving aside for the moment the reasonable question about how such an assertion can be audited, the point is that once the certificate _does_ become public, all of the existing certificates immediately become publicly trusted. Wouldn't you agree? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy