On Tue, Sep 17, 2019 at 8:23 AM nenyotoso--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Hi,
> While Japanese ApplicationCA2 Root has been rejected as a Root CA [1] and
> is no longer in operation [2],
> I become aware of CRL endpoint of both the CA and at least one of sub-CA
> is unavailable.
> a sub-CA: https://crt.sh/?id=9341006
> leaf certificate issued from the sub-CA: https://crt.sh/?id=524524172
> (you can browse all issued certificates from the sub-CA with
> https://crt.sh/?Identity=%25&iCAID=1419)
> Both of them was revoked but CRL endpoint is unavailable now with HTTP 404
> error response.
> OCSP also fails.
> Is it OK to abandon CRL for the decommissioned CA even if there are still
> unexpired certificates?
> The certificates was revoked but we have no way to validate it in a
> PKI-ish manner...
If there are user agents that continue to trust this root, then this is
certainly a bad thing.

Sorry if it is off-topic because the CA has never been approved as Root CA
> by Mozilla.

It appears that Microsoft may still trust this root. I'll inform them.


dev-security-policy mailing list
  • CRL for decommissioned CA nenyotoso--- via dev-security-policy
    • Re: CRL for decommissioned CA Wayne Thayer via dev-security-policy

Reply via email to