On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling <rob.stradl...@comodo.com> wrote: > Revocation of a "parent intermediate" does not exempt "child intermediates" > from the disclosure requirement, AFAICT. So I think the KBC Group CAs do > need to be disclosed to Salesforce.
If all paths from a trusted root to a given intermediate are revoked or expired, then I don't think it "directly or transitively chain[s] to a certificate included in Mozilla’s CA Certificate Program". It would be no different than a private CA which isn't part of the WebPKI graph. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy