On Tue, Sep 17, 2019 at 8:23 AM nenyotoso--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi, > > While Japanese ApplicationCA2 Root has been rejected as a Root CA [1] and > is no longer in operation [2], > I become aware of CRL endpoint of both the CA and at least one of sub-CA > is unavailable. > > a sub-CA: https://crt.sh/?id=9341006 > leaf certificate issued from the sub-CA: https://crt.sh/?id=524524172 > (you can browse all issued certificates from the sub-CA with > https://crt.sh/?Identity=%25&iCAID=1419) > > Both of them was revoked but CRL endpoint is unavailable now with HTTP 404 > error response. > OCSP also fails. > > Is it OK to abandon CRL for the decommissioned CA even if there are still > unexpired certificates? > The certificates was revoked but we have no way to validate it in a > PKI-ish manner... > > If there are user agents that continue to trust this root, then this is certainly a bad thing. Sorry if it is off-topic because the CA has never been approved as Root CA > by Mozilla. > It appears that Microsoft may still trust this root. I'll inform them. Thanks, Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
