On 24/02/16 15:45, Jeremy Rowley wrote: > I think Rob's questions are great and should be answered before deciding. > Many CAs have roots and can issue certs that browsers will simply reject. > There may be a simple way to provide them certs without issuing a ton of > SHA1s that are placed on OneCRL.
As noted during the CAB Forum meeting where this was discussed: they have 200,000+ devices affected, and the "use an old or decommissioned or otherwise non-BR root" plan works with 90% of them, but not all. That was plan A, and it didn't work. We are now on plan B. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
