Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year which chain to root CAs in Mozilla's program:
- https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert] via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G" Also, the OCSP responder for this certificate appears to not include a nextUpdate field. - https://crt.sh/?id=12090324 -- chains to Security Communication RootCA1 [SECOM] via subCA "YourNet SSL for business" Also, this certificate is also missing OCSP information and appears to be being served without OCSP stapling support. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy