On 2014-01-03 14:24, Ralph Holz wrote:
> Hi,
>
>> My understanding of what Jakob wrote is that he holds the key for a
>> subordinate CA. Unless the CA that "signed" that subordinate has
>> been removed from trust lists then that subordinate would still be
>> useful, yes.
> The subordinate certificate is blacklisted in browsers. Furthermore,
> Mozilla does not accept any non-root certs with MD5 signatures since
> mid-2011.
>
> Ralph
>
Assumes you run an updated browser, right?
Blacklisting isn't part of the PKIX trust model, but a band-aid used to
fix the lack of deployed/able revocation.
Cheers Leif
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
