Hey all,
We're working towards revoking certs with underscore characters in the domain name, per SC12, but I had a question about legacy Symantec systems and Mozilla. These particular roots are no longer trusted for TLS certs in Google or Mozilla, which means the applicability of the BRs is dubious. The roots are shortly being removed from Microsoft and Apple, although that's more of an FYI rather than something with direct bearing on the Mozilla community. If the roots are no longer trusted for TLS in Mozilla, is there any requirement to revoke the certs issued under those roots? My initial thought is no as this is similar to what Comodo did with their request to remove a SHA1 root (and what DigiCert did with one of the Verizon roots). Note these are still flagged by zlint because they are trusted in older systems. Because the situation is slightly different with the way distrust was technically implemented, I wanted to see if there were any concerns with the community about treating these as private going forward, similar to the SHA1 roots. Thoughts? Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
