On 2/8/16 2:36 PM, Kurt Roeckx wrote:
On Mon, Feb 08, 2016 at 02:30:05PM -0800, Kathleen Wilson wrote:
Not much you can do about a currently-included root certificate other than
re-issue the root certificate which can cause many other problems.
So I was under the impression that they needed to check their
currently signed certificates. Should they only check their own
root CA certicate for lint errors?
Kurt
Yes, CAs should check the certificates chaining up to their included
root certs.
Bugzilla Bugs may be filed for non-BR-compliant certificates chaining up
to included root certificates, and added to the dependency list for
https://bugzilla.mozilla.org/show_bug.cgi?id=1029147
Unfortunately I do not have the bandwidth to chase these down, but I can
help get the bugs directed to the responsible CA representative.
Note that I think there are still some things with the certlint tests
that need to be ironed out, before filing bugs for every reported error.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy